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THE EU DATA PROTECTION DIRECTIVE: IM- 
PLICATIONS FOR THE U.S. PRIVACY DE- 
BATE 


THURSDAY, MARCH 8, 2001 

House of Representatives, 

Committee on Energy and Commerce, 

Subcommittee on Commerce, Trade, 

and Consumer Protection, 

Washington, DC. 

The subcommittee met, pursuant to notice, at 10 a.m., in room 
2123, Rayburn House Office Building, Hon. Cliff Stearns (chair- 
man) presiding. 

Members present: Representatives Sterns, Deal, Shimkus, Bry- 
ant, Buyer, Radanovich, Pitts, Bono, Walden, Bass, Tauzin (ex offi- 
cio), Towns, DeGette, Doyle, Markey, and Gordon. 

Staff present: Ramsen Betfarhad, majority counsel; Yong Choe, 
legislative clerk; and Bruce M. Gwinn, minority counsel. 

Mr. Stearns. Subcommittee on Commerce, Consumer Protection, 
and Trade will convene. 

I like to start as much as possible right on time, so I hope we 
will start a precedent, so that members will understand that if we 
arrive early then we get things moving, and then we don’t have to 
spend as much time here waiting. 

I welcome you all to the second hearing of the Subcommittee on 
Commerce, Trade, and Consumer Protection of the Energy and 
Commerce Committee. I especially want to acknowledge our distin- 
guished guests from Europe, Professor Stefano Rodota, the presi- 
dent of the Italian Data Protection Commission and chairman of an 
EU Data Protection Working Group; and Mr. David Smith, Assist- 
ant UK Information Commissioner. 

I thank you for making the long journey and am pleased to have 
distinguished European officials such as yourself addressing our 
subcommittee. So thank you. 

My colleagues, the purpose of today’s hearing is twofold. First, 
we seek to learn more about the European approach to information 
privacy. Second, we wish to consider the impact of the European 
Data Protection Directive on international commerce in general 
and e-commerce specifically. 

In highlighting the EU Data Protection Directive for consider- 
ation today, I hope we can get answers to the following questions. 
What is the directive? How is it implemented? How is it enforced? 
What, if anything, can we in the United States involved in the in- 
formation privacy debate learn from the directive which encap- 

( 1 ) 
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sulates the European approach to information privacy? What impli- 
cations does the directive harbor with relation to international com- 
merce; specifically, transatlantic commerce? And what is the im- 
port of safe harbors and model contracts? 

My colleagues, the answers to these questions have significant 
implications for companies who want to do business in and with 
Europe. This hearing not only represents the subcommittee’s sec- 
ond in a series of privacy hearings, but also represents the first 
hearing under the subcommittee’s trade jurisdiction. 

In a coming week or 2, I expect to unveil the topic and time table 
of as many as five subcommittee hearings addressing the informa- 
tion privacy issue. Moreover, the subcommittee, as part of its trade 
jurisdiction, will begin to examine legal and regulatory measures 
that may impede the growth of e-commerce globally. 

I rely on the words of one of our witnesses in highlighting the 
significance of our inquiry today when he said, “The EU privacy di- 
rective is probably the most important law by which the EU is 
writing the rules of cyberspace.” 

Mr. Winer is not alone in his concern. Many large transnational 
and even U.S. businesses with modest international operations 
have expressed the same concerns to me and other members in pri- 
vate. 

Raising issues of significant import to our increasing knowledge 
and information-based economy in my office is one thing. Raising 
those issues in a congressional hearing is a totally different matter. 
I encourage all companies and interested parties to engage and 
speak their views openly on this issue while we are still defining 
the parameters. 

I am concerned about the potentially regressive impact of the di- 
rective and its implementing statute now in effect in 11 out of the 
15 member states on international commerce, and more specifically 
on commerce between the European community and the United 
States. I am not convinced, nor is corporate U.S. America, that the 
safe harbor provisions negotiated by Ambassador Aaron in the pre- 
vious administration will help mitigate the concern over regressive 
effects. 

The Ambassador has accurately noted, “While we and the Euro- 
peans share many basic values, the European Union directive 
comes from a different legal tradition and historical experience.” 
The safe harbor principles are reflective of those European tradi- 
tions and experiences, and as such at times don’t harmonize well 
with our American legal tradition and historical experiences. 

I encourage President Bush and the administration to begin the 
examination of this important issue on an expedited basis. By way 
of holding this hearing, we, as members of both the subcommittee 
and the full Energy and Commerce Committee, want to stress our 
keen interest in the trade ramifications of the directive. We will fol- 
low this issue carefully, and if need be we will make our wishes 
known in more definitized ways. 

And with that, I am pleased to recognize the ranking member, 
Mr. Towns. 

Mr. Towns. Thank you very much, Mr. Chairman, for holding 
this hearing. I think this is a very, very important hearing, and I 
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want to salute you for that. And I would also like to ask permission 
to put my entire statement in the record. 

Mr. Stearns. Without objection, so ordered. 

Mr. Towns. We have all heard the terrible abuses that have oc- 
curred when personal information is misused. A person’s job can be 
lost, their creditworthiness can be destroyed, and their personal 
peace of mind can also be destroyed. 

But privacy is not only a problem for consumers; it is a major 
issue for business as well. While privacy policies can limit business 
marketing opportunities, the effect of privacy policies on consumer 
confidence is a far more important fact in the future success of e- 
commerce. 

Today we will hear how the European Union has chosen to bal- 
ance commercial and consumer privacy interests. And as in so 
many cases, we will learn how regulations in one country can 
threaten the ability of U.S. firms to engage in foreign commerce. 
Compliance with the EU Privacy Directive is not optional. 

In order to transfer personal data on any type out of the EU, a 
U.S. firm will soon be forced to comply. A firm that fails to comply 
can be blocked from transferring data out of the European Union. 

In conclusion, Mr. Chairman, let me say I am not interested in 
defending either the EU Privacy Directive or the safe harbor agree- 
ment. That is not my interest. However, I do believe that privacy 
protections need to be uniform, and they need to be transparent. 
Consumers should not have to hire law firms and investigators and 
negotiators to identify privacy protections that companies have 
agreed to provide in private contracts. 

Furthermore, no consumer, no matter where they live, is due any 
less than the highest privacy protection a company provides to any 
other consumer. When a company agrees to a particular privacy 
policy, it should provide everyone it serves with those same bene- 
fits. 

Finally, any privacy policy is meaningless unless it is enforce- 
able. Therefore, government has an important part to play in mak- 
ing privacy enforceable. 

Mr. Chairman, I look forward to working with you on these mat- 
ters. Consumers all over the world are demanding greater control 
over their personal data. This Congress has an important role to 
play in making sure consumers get the privacy protection they de- 
serve, and I am certain that you will provide leadership in that re- 
gard. 

I yield back. 

[The prepared statement of Hon. Edolphus Towns follows:] 

Prepared Statement of Hon. Edolphus Towns, a Representative in Congress 
from the State of New York 

Mr. Chairman, I want to thank you for holding this important hearing. Privacy 
is clearly one of the highest priority consumer protection issues we face. We have 
all heard the terrible abuses that have occurred when personal information is mis- 
used. A person’s job can be lost. Their creditworthiness can be destroyed, as can 
their peace of mind. 

But privacy is not only a problem for consumers; it is a major issue for business. 
While privacy policies can limit business marketing opportunities, the effect of pri- 
vacy policies on consumer confidence is a far more important factor in the future 
success of e-commerce. 
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A survey conducted by AT Kearney management consultants and reported in No- 
vember of last year in the publication “BizReport” confirms this point. Let me quote, 
“E-retailers worldwide lose $6.1 billion in sales, due to an 80 percent failure rate 
among online purchase attempts . . .” and that “Invasive information requests are 
blamed for 52 percent of sales that fall apart, followed by reluctance to enter credit 
card data (46 percent) . . ” Clearly, business is paying a big price for the confidence 
consumers lack in the privacy and security of their online transactions. 

Today, we will hear how the European Union (EU) has chosen to balance commer- 
cial and consumer privacy interests. And, as in so many cases, we will learn how 
regulations in one country can threaten the ability of U.S. firms to engage in foreign 
commerce. Compliance with the EU privacy directive is not optional. In order to 
transfer personal data of any type out of the EU, a U.S. firm will soon be forced 
to comply. A firm that fails to comply can be blocked from transferring data out of 
the EU. 

Because the U.S. has no comprehensive national privacy policy, much less one 
that is comparable to the EU directive, the EU has decided that all American firms 
lack adequate privacy protections for personal data. The privacy provisions of the 
recently enacted financial modernization legislation do not, according to the EU and 
many others, provide adequate privacy protection. U.S. firms, therefore, are in a 
bind. 

Recognizing this fact, the EU and the U.S. entered into a Safe Harbor Agreement 
last year. The Safe Harbor has one purpose. It allows certain U.S. firms to declare 
their compliance with agreed upon privacy protections that the EU does consider to 
be “adequate,” so that U.S. data firms can continue doing business in Europe. 

The way it works is that U.S. firms, and I am happy to say that one such firm — 
Hewlett Packard — is represented here today at this hearing, must certify to the De- 
partment of Commerce that they comply with the privacy protections in the Safe 
Harbor. Everything is public and is open for consumers and all to see. The Com- 
merce Department’s web site has both the privacy principles as well as the names 
of the 27 entities who, so far, have certified they comply with the Safe Harbor. 

Certain firms cannot take advantage of the Safe Harbor’s protection. Financial in- 
stitutions — banks, securities firms, and insurance companies — do not have safe har- 
bor protection at this time. In fact, some financial and other firms have actually or- 
ganized in an effort to convince the EU and the U.S. to terminate the Safe Harbor 
altogether. 

Instead, the only way for financial firms currently to comply is through the nego- 
tiation of private contracts either with their EU customers directly or with EU pri- 
vacy officials in each country where they operate. It is unfortunate that we do not 
have a U.S. financial or other firm with us today who can tell us about the privacy 
contracts that have been negotiated. Although we may assume, we do not actually 
know the extent to which these contracts comply with the privacy directive. We also 
do not know the extent to which U.S. firms are offering EU consumers privacy pro- 
tections they deny their U.S. consumers. Hearing from someone in the financial 
services industry could have helped clarify these matters. 

In conclusion Mr. Chairman, let me say, I am not interested in defending either 
the EU privacy directive or the Safe Harbor Agreement. However, I do believe that 
privacy protections need to be uniform, and they need to be transparent. Consumers 
should not have to hire law firms and investigators to identify privacy protections 
that companies have agreed to provide in private contracts. 

Furthermore, no consumer, no matter where they live, is due any less than the 
highest privacy protection a company provides to any other consumer. When a com- 
pany agrees to a particular privacy policy, it should provide everyone it serves with 
those same benefits. Finally, any privacy policy is meaningless unless it is enforce- 
able. Government, therefore, has an important part to play in making privacy en- 
forceable and uniform. 

Mr. Chairman, I look forward to working with you on these important matters. 
Consumers all over the world are demanding greater control over their personal 
data. This Congress has an important role to play in making sure consumers get 
the privacy protection they deserve. 

Mr. Stearns. I thank my colleague. 

Mr. Shimkus, gentleman from Illinois? 

Mr. Shimkus. Thank you, Mr. Chairman. We appreciate this 
hearing, and I think it has great implications, as everyone has 
said. 

The UE Privacy Directive has important implications for U.S. 
companies who are doing or want to do business with Europe and 
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with our largest trading partner. But I want to put on record my 
concern, after hearing the decision rendered by the European Court 
of Justice earlier this week, that allows the European Union to 
lawfully suppress political criticism of institutions and of leading 
figures. 

In this country, in the history of our country, we have basically 
had some distrust of national government, symbolically, in the cre- 
ation of the Bill of Rights to our Constitution over 200 years ago. 
In so doing, the first one being the First Amendment, freedom of 
speech, what the implication is here is that our — probably our 
strongest allies and democratic countries may not have that faith 
and trust in the freedom of expression, of political expression. 

This decision is very disturbing, one that could have major impli- 
cations on the privacy issue and an impact on future business rela- 
tions between the U.S. and EU companies. And I hope that we will 
have some addressing of this issue in this hearing. 

I do appreciate the long distance you all have traveled. I just did 
the same trip 3 weeks ago as a member of the NATO Parliamen- 
tary Assembly. We visited the UE Commission, and I think next 
year we’re going to have a chance to visit the UE Parliament with 
discussions on transatlantic issues of great importance to us. But 
I think this hearing is very, very important, and I look to be a full 
participant. 

And I thank the Chairman and yield back my time. 

Mr. Stearns. I thank my colleague. 

The gentleman from New Hampshire, Mr. Bass? 

Mr. Bass. No statement. 

Mr. Stearns. The gentleman from Indiana, Mr. Buyer? 

Mr. Buyer. No statement. 

[Additional statements submitted for the record follow:] 

Prepared Statement of Hon. W. J. “Billy” Tauzin, Chairman, Committee on 
Energy and Commerce 

I want to start by thanking Subcommittee Chairman Stearns for calling the first 
ever Congressional hearing, in either the House or Senate, specifically focused on 
the EU Privacy Directive. The topic of today’s hearing is extremely relevant to the 
Committee’s consideration of privacy and information exchange issues. 

The development of electronic commerce has accentuated the fact that the U.S. 
economy is interdependent on the rest of the world. The Internet and other elec- 
tronic networks expand the ability of businesses to reach new or untapped markets 
worldwide. These technologies fundamentally shrink the size of the globe. Policies 
affecting electronic commerce made by the world’s largest trading block — the Euro- 
pean Union — have an impact on the U.S. It also has an impact on how the U.S. 
Congress will approach the debate over privacy. 

The U.S. and EU Member States approach the issue of privacy from different per- 
spectives. Europeans are instilled with the belief that privacy is a fundamental 
human right. There are a number of reasons for this belief, including the vast and 
traumatic experiences of the Nazi regime during the 1940’s. Another reason for this 
perspective is the simple fact that many EU countries are relatively new democ- 
racies. It was not long ago that Kings and Queens ruled throughout Europe. In the 
U.S., we take a different approach towards privacy as we have fundamental protec- 
tions to free expression provided in the U.S. Constitution, including the First 
Amendment. By in large, we also rely heavily on the private sector to protect con- 
sumer privacy. 

I believe that the EU Privacy Directive may act as a de-facto privacy standard 
on the world. It may or may not be permissible under the WTO because of the tech- 
nical structure and specific carve-outs, but it certainly is an effort to impose the 
EU’s will on the U.S. While I recognize that similar charges have been laid against 
certain U.S. policies, the EU Privacy Directive could be the imposition of the one 
of the largest free trade barriers ever seen and is a direct reversal of the efforts 
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we have made in various free trade agreements. It certainly provides for 
extraterritorial enforcement of EU principles on Americans and American compa- 
nies. 

I have serious reservations about the real impact of the EU Privacy Directive on 
commerce and trade. I am very concerned that U.S. companies, which have been the 
creators and the leaders of E-commerce, will be forced to deal with such a restrictive 
concept. I would love for someone to provide some type of compliance cost analysis 
for the Privacy Directive but that simply hasn’t been done. I suspect the costs would 
be in the multi-billions, and are all costs that will be passed onto consumers. 

One of the many drawbacks of imposing something like the Privacy Directive on 
the entire world is that one-size does not fit all. Europeans do not view lawsuits 
as an answer to problems. In the U.S., lawsuits are filed at the drop of a hat. A 
stock dropped too much or too fast, a lawsuit gets filed. A neighbor’s dog barks too 
loud, a lawsuit gets filed. That is a reality that we have to deal with. However, such 
lawsuits could cripple the beneficial exchange of information that is a cornerstone 
of American business practices today. 

Compliance and enforcement of the Privacy Directive has, at best, been spotty in 
European nations. In fact, a number of nations have not even bothered to required 
enact implementing legislation. This lax attitude is something that Americans are 
not used to. We do not build elaborate restrictions with a wink and a nod so they 
can be ignored. Given this, we need to know whether enforcement of the Privacy 
Directive on U.S. companies represent a double standard when compared to enforce- 
ment of European firms. We also need to know the consequences for competition if 
this occurs. 

I must admit that I take a dim view about the way that the EU went about enact- 
ing this new privacy regime. The EU designed the rules and told the U.S. companies 
to abide by them or risk losing the transfer of any data from European nations. In 
essence, do it or suffer the consequences. There was no international negotiations. 
The U.S. was allowed to participate in negotiations resulting in the so-called “Safe 
Harbor” but it is interesting to note that very few firms have signed up for it. 

The Safe Harbor raises a whole host of issues in and of itself. For instance, the 
legal status of the Safe Harbor is highly questionable. Further, the Safe Harbor 
doesn’t cover financial firms. Indications are that privacy provisions of the “Gramm- 
Leach-Bliley” Financial Services Modernization Act are not “adequate” for purposes 
of the Privacy Directive. This is non-sense, as many people make a compelling case 
that these provisions are too strong. More importantly, what are global financial 
firms to do? They don’t qualify for the Safe Harbor and U.S. law, which they must 
obey, is being overrun by the Privacy Directive. 

Recently, the EU has been designing so-called “model contracts” that can be used 
to meet the stringent requirements of the Privacy Directive. Many experts have sug- 
gested that the model contracts will be imposed on U.S. firms as a way to “top-off’ 
or strengthen the Safe Harbor. This seems to directly contradict the purpose of the 
Safe Harbor and the negotiations that took place. Was the Department of Commerce 
duped into supporting the Safe Harbor? Are the Europeans really trying to find 
ways to strengthen the Privacy Directive? 

I am hopeful that this hearing will provide some insight and provide some comfort 
regarding the EU Privacy Directive. Unless or until that occurs, I think it only ap- 
propriate to consider all the options this Committee can take. Many have asked for 
our assistance in steering the new Administration towards the proper perspective 
on this issue. I think we should give serious consideration to doing just that. 


Prepared Statement of Hon. Mike Doyle, a Representative in Congress from 
the State of Pennsylvania 

Mr. Chairman, thank you for calling this hearing to discuss the issue of personal 
data privacy as it relates to international e-commerce and trade. E-commerce tran- 
scends global boundaries at light-speed, literally bringing the world to individual 
consumers and industries and offering an unprecedented opportunity for advance- 
ment and economic growth. 

During last week’s hearing, I voiced my concerns that in the past, over-zealous 
federal regulations sometimes created unnecessary burdens on business. I firmly be- 
lieve that it is the responsibility of the federal government to find the most appro- 
priate balance that ensures we do not unintentionally choke out our emerging high- 
technology e-commerce sector while at the same time providing floor requirements 
relating to basic privacy protections for consumers and industry alike. 

And while I find the European Union approach towards personal data protection 
noble insofar as they recognize the importance of an individual’s control over the 
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sharing of personal information, it goes without saying that applying such govern- 
ment actions here in the United States would raise some troublesome issues and 
almost surely conflict with the Constitution. 

But, if we in America do not act to establish some general requirements to ensure 
the integrity of personal privacy for our citizens and global consumers, both Ameri- 
cans and Europeans may very well risk losing out on vast economic opportunities. 

Here in the United States, the Safe Harbor provisions represent a good start, but 
lack they comprehensive application to all sectors of our economy. In my view, it 
is important that the same, uniform minimum standards are applied to all trans- 
actions involving online personal privacy, regardless of the particular economic sec- 
tor they may fall. 

While the European Union Privacy Directive is a source of concern to me on var- 
ious levels, I do believe that it serves, as does this hearing, as a catalyst for discus- 
sion and implementation of real online personal privacy protections. 

No doubt that several US firms, separate from the Safe Harbor principles, have 
negotiated with the European Union to ensure the security of personal data is main- 
tained when conducting transatlantic e-commerce. Such aggressive industry self-reg- 
ulation is just the type of proactive, responsible action that assuages consumer 
unease and concern with e-commerce privacy. 

In my view, an effective blend of industry self-regulation within a comprehensive 
framework of federal minimum standards must become the new standard for 21st 
century e-commerce in the United States if our industries and consumers are to con- 
tinue to capitalize on high-technology sector growth. 

Mr. Chairman, I am eager to work with you and my colleagues of the Sub- 
committee on ways to facilitate the prosperity global e-commerce. 


Prepared Statement of Hon. Bobby L. Rush, a Representative in Congress 
from the State of Illinois 

Mr. Chairman, thank you for holding this important hearing on the European 
Union Privacy Directive. I particularly want to thank Professor Rodota and Mr. 
Smith for traveling such a long distance to discuss this important topic. This hear- 
ing is significant for two reasons. 

First, ensuring an ongoing dialogue between the European Union and the United 
State regarding the EU’s Privacy Directive and its underlying purpose is critical for 
ensuring continued and uninterrupted trade between our nation and the countries 
which make up the European Union. The European Union is one of our most valued 
trade partners. However, it is clear that the United State’s privacy laws in many 
sectors of our economy do not meet the strict standards of the European Union Pri- 
vacy Directive. Only by working together can we ensure that the inadequacy of U.S. 
privacy laws and strength of the European Union’s Privacy Directives do not lead 
to disruption in our strong trade relationship. 

Second, we in the United States can learn a great deal from the European Union’s 
Privacy Directive. The United States does not have a comprehensive privacy policy. 
Some sectors of our economy have no protections what so ever. Also, in some cases, 
information is susceptible to misappropriation and misuse. Also, in many cases en- 
forcement is limited to government action because no private cause of action is pro- 
vided. The European Union’s Privacy Directive represents an example of a strong 
law covering many different types of information which provides extensive enforce- 
ment mechanisms. 

However, the European Union’s Privacy Directive is not without its faults. Some 
would argue that it covers information which is clearly public. We in Congress need 
to learn from the European Union’s efforts what works and what doesn’t. It provides 
one of the clearest examples of what is feasible and infeasible. 

I commend the witnesses from Europe for their work in this area and those wit- 
nesses who have worked with the European Union to ensure their is no disruption 
in the trade relationship between the United States and the European Union. 

Mr. Stearns. With that, we will have the first panel, Professor 
Stefano Rodota, Chairman, European Union Data Protection Work- 
ing Group, and Mr. David Smith, Office of the UK Information 
Commissioner. 

I want to thank, again, both of you for your coming the long dis- 
tances, and I look forward to your opening statement. So you can 
give your opening statement right now if you would. Professor, we 
will start with you. 
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STATEMENTS OF STEFANO RODOTA, CHAIRMAN, EU DATA 

PROTECTION WORKING PARTY; AND DAVID SMITH, ASSIST- 
ANT COMMISSIONER, OFFICE OF THE UK INFORMATION 

COMMISSIONER 

Mr. Rodota. Thank you, Mr. Chairman. Thank you for inviting 
me to testify today at this important hearing. 

I am Stefano Rodota. I am the Chairman of the Italian Data Pro- 
tection Commission. I am also a professor of law, and I have been 
for several years a member of the Italian Parliament and of the 
European Parliament. So I shared the same responsibility you have 
now. 

So I am chairman of the Data Protection Working Group estab- 
lished by the European directive of data protection passed by the 
European Parliament, as you know, and the Council in 1995. And 
I must say that when compared to other pieces of European legisla- 
tion, the directive presents a prominent feature. It aims at pro- 
tecting fundamental rights and freedoms, although this objective is 
twinned with the free movement of services. 

This approach has been recently stressed by a major develop- 
ment in the charter of fundamental rights of the European Union 
signed in December of last year by the European Parliament, the 
Council 

Mr. Stearns. Professor, could I have you pull the speaker up 
just a little closer to you? 

Mr. Rodota. Oh, yes. 

Mr. Stearns. Yes. That will be fine. 

Mr. Rodota. Yes, sorry. 

Mr. Stearns. No, no. That is fine. Thanks. 

Mr. Rodota. It is better. 

Mr. Stearns. Yes, that is better. 

Mr. Rodota. Oh, thank you. 

So I was saying that I would like to stress that the same ap- 
proach was shared by the charter of the fundamental rights of the 
European Union passed in December of last year by the European 
Parliament, the Council, and the Commission. And two specific pro- 
visions are devoted to privacy and data protection. 

So now data protection must be considered a fundamental 
human right, and the same chart makes reference to the necessity 
of an independent authority. 

These independent authorities, existing in all 15 countries in Eu- 
rope, meet together in the Data Protection Working Party, which 
is also called Article 29 Group. And this group has an advisory sta- 
tus and acts independently, and since its creation has adopted sev- 
eral recommendations and opinions. 

In Italy, the directive was implemented by the Data Protection 
Act in 1996, and then complemented by secondary legislation and, 
I would like to stress, by a number of codes of conduct which rep- 
resent an important factor of flexibility. 

I can leave you an English version of the Act, together with the 
articles of the European chart. 

Mr. Stearns. By unanimous consent, we will make that part of 
the record. 

Mr. Rodota. Yes. Thank you. 
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At that time, in 1996, Italy was the only member state of the Eu- 
ropean Union, together with Greece, without a specific data protec- 
tion law. But you know what technologies say — using appropriate 
technologies, late comers can make a leap frog. Something like that 
happened in Italy. Using the European law, and transposing imme- 
diately for all the member states the directive into its legal system, 
Italy jumped at the top of the European data protection. 

The implementation of the law has not been easy, but the soci- 
etal effects are astonishing. Our Commission has been dealing dur- 
ing the past 4 years with nearly 100,000 offers submitted by phone, 
fax, e-mail, writing, and as formal requests to the Commission act- 
ing in alternative to the judiciary. 

Statistically, the main people’s concern regards health insurance, 
telecommunications, direct marketing, labor relationship, police 
data, banks. People can act directly toward the data controller. For 
instance, 4 million customers asked banks not to send them com- 
mercial advertising. The implementation of the law raised more re- 
sistances in the public administration than in the private sector 
that has not at all suffered the dramatic consequences foreseen by 
some interested circle. 

So the high level of data protection legally in the UE indicates 
an amassing paradox. Privacy was invented in the U.S. and has 
long been considered to be typical of the American society. Europe 
now is the region of the world where maybe personal data is most 
protected — are most protected. This does not mean, however, 
that — in my opinion, that European-U.S. systems are mutually op- 
posed. 

It is an instance of misrepresentation to simplify the picture by 
making Europe the domain of law and the U.S. the domain of self- 
regulation. Indeed, it is exactly the framework provided by Euro- 
pean directives and national laws which is making it possible to de- 
velop self-regulatory codes and contract models on a larger scale. 

And at the same time, we recognize that many highly sensitive 
issues are being dealt with in the U.S. by means of legislative tools. 
We have been impressed, for instance, by the Executive Order to 
prohibit the use of genetic data for Federal employees. We must 
take this perspective seriously. We cannot accept a full-speed world 
in the data protection field, more and more one of the most impor- 
tant and critical matters in the globalized world. 

Many devices can be used — national legislation, regional rules 
like in European Union, international guidelines, model contracts, 
and, finally, international conventions. We must provide a common 
framework. 

In my double capacity, I would like to work in this area. For 
making possible more fruitful cooperation, the working group is 
now planning a visit in the U.S. mid-June. 

Coming back to the directive, it has been implemented in eleven 
out of the 15 EU member states. Of course, the European Commis- 
sion has started an infringement procedure against the four mem- 
ber states that have not yet notified the implementing measures — 
France, Germany, Ireland, and Luxembourg. 

However, if we consider both the core principles and the creation 
of supervisory authorities, I would say that almost all member 
states are now in line with the fundamentals of the directive. 
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Germany and France are, for different reasons, in a similar par- 
adox. They are late in passing the implementing measures. How- 
ever, their data protection legislation is sound and well established. 
According to some observers, this paradox shows that adapting old 
laws may prove harder than passing a brand-new law. 

The Netherlands seem to have experienced one of the most inter- 
esting parliamentary debates. This was prompted by an amend- 
ment aimed at excluding the private sector from the jurisdiction of 
the Data Protection Authority. The business community argued 
that they would feel more comfortable with the powers of self-dis- 
ciplinary bodies, but the amendment was rejected because the 
Dutch government found that it may have been incompatible with 
the directive. 

So all member states share now the same values and are legally 
bound by the same core principles, directly connected with a strong 
commitment to make effective fundamental human rights in this 
very sensitive area. 

It means that also commercial and economic interests must be 
evaluated in this broader context. At the same time, the directive 
was aware of the problem of transferring that outside the Euro- 
pean Union. The well-known Articles 25 and 26 reflects these con- 
cerns through a reference to an adequate level of data protection. 
Until now only Canada, Switzerland, and Hungary have met the 
adequacy test in the judgment of Article 29 working party. 

At the same time, Articles 25 and 26 have made possible and — 
made possible to buildup a completely new system based for the 
U.S. on the safe harbor entered in force on October 25 last year — 
a special opportunity given to the U.S. company. But we have also 
the new adequacy system, including the standard contractual 
clauses, and the draft by the Commission services, and that I re- 
ceived the positive opinion of the Article 29 working group. 

In my opinion, such clauses are crucial in ensuring transborder 
data flow because 

Mr. Stearns. Professor, if you don’t mind, we just have 

Mr. Rodota. I will stop. I am ending. 

Mr. Stearns. Sure. 

Mr. Rodota. Just 1 minute. Are crucial because many companies 
make business on a global scale and because data flows from the 
European Union are not linked to the U.S. Both systems will be 
experimented with. It will be especially interesting to evaluate the 
enforcement system. 

It does not work, however, that here are interesting develop- 
ments in the attitude of the business community. More and more 
privacy protection is considered a value to be offered with goods 
and services. Opt-in and not opt-out has been indicated as the best 
approach by prominent European companies during their hearing 
before the European Parliament last January. 

So we are living in a transitional period and indeed need co- 
operation as wide as possible. Thank you for giving me this oppor- 
tunity. May I conclude with my very best wishes for your future 
discussions which are crucial for the democratic values that we 
share. 

Thank you very much. 

[The prepared statement of Stefano Rodota follows:] 
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Prepared Statement of Stefano Rodota, Chairman, EU Data Protection 

Working Party 

Mr Chairman, Honourable Members, Thank you for inviting me to testify today 
at this important hearing. My name is Stefano Rodota, and I am the Chairman of 
the Data Protection Working Party that was established by the EU Directive on the 
protection of physical persons with regard to the processing of personal data. This 
Directive was passed by the European Parliament and the Council in 1995, that is 
after 5 years of fierce discussions on the proposal presented by the European Com- 
mission in 1990: passing legislation on such a complex issue is not easy — neither 
in the EU nor in the US, you will say . . . 

Since the creation of a Data Protection Commission in Italy (1997) I also wear 
the hat of Privacy Commissioner, and in this capacity I would like to share with 
you a couple of ideas on the concrete implementation of the Directive in my country. 
Before doing that, may I say something about the European approach to privacy and 
data protection, that may explain some of the difficulties that we have experienced 
in bridging the gap with the approach of the US Government. 

When compared to other pieces of European legislation, the Directive presents a 
prominent feature: it aims at protecting “fundamental rights and freedoms”, al- 
though this objective is twinned with the free movement of information and services. 
This approach has been recently stressed by a major development: in the Charter 
of Fundamental Rights of the European Union, that was signed in December 2000 
by the European Parliament, the Council and the Commission, two specific provi- 
sions are devoted to privacy and data protection. Let me quote them. 

Article 7, Respect for private and family life. 

Everyone has the right to respect for his or her private and family life , home and 
communications. 


Article 8, Protection of Personal Data. 

1. Everyone has the right to the protection of personal data concerning him or her. 

2. Such data must be processed fairly for specified purposes and on the basis of 
the consent of the person concerned or some other legitimate basis laid down by law. 
Everyone has the right of access to data which has been collected concerning him or 
her, and the right to have it rectified. 

3. Compliance with these rules shall be the subject to control of an independent 
authority. 

These independent authorities, as you know, meet together in the Data Protection 
Working Party, which is also called “Article 29” Group, although its powers are to 
be found in Article 30 of the Directive. The Working Party, that I’m honoured to 
chair since last year, has an advisory status and acts independently. Since its cre- 
ation, it has adopted a number of Recommendations and Opinions, some of which 
were devoted to the different versions which led to the final shape of the “Safe Har- 
bor”. All these documents are available to the public at the following web page: 
http://www.europa.eu.int/comm/internal market/en/media/dataprot/wpdocs/ 

The Italian experience. 

In Italy, the Directive was implemented by the Data Protection Act (1996). This 
Act is being complemented by secondary legislation and — may I stress this aspect — 
by a number of Codes of conduct, which represent an important factor of flexibility. 
All the relevant documents are available at: http://www.garanteprivacy.it 

Judging from my personal experience on the ground, I can testify that the provi- 
sions by which the Directive was implemented in Italy are being invoked on such 
a wide range of issues that were probably hard to imagine when the law was 
passed — there are over 2,000 claims pending before the Garante, covering almost all 
business areas and administration branches — but no company has gone out of busi- 
ness — nor has it suffered the dramatic consequences that were anticipated by some 
interested circles. In Capitol Hill, you are in a good position to know that lobbying 
groups sometimes tend to exaggerate the cost of new legislation. In earlier times, 
the same happened during the Parliamentary discussions on child labour legislation, 
but nobody today would argue that such legislation was not appropriate. 

When the Directive was passed (1995) in Italy there was no legislation in this 
area, and the issue was virtually confined to the academic and literary circles. In 
less than 4 years, the word “Privacy” has entered into the daily vocabulary of the 
average Italian (without any Italian translation: the media and the man in the 
street just say “Privacy”, and they seem to know what they mean). Sometimes I’m 
myself puzzled about that. 



12 


The widespread use of the word “Privacy”, in Italy and in other non-English 
speaking countries, indicates an amazing paradox. Privacy was “invented” in the 
US, and has long been considered to be typical of American society. Still, Europe 
is nowadays the region of the world where personal data is most protected — so much 
so that the Charter of Fundamental Rights of the European Union has recently in- 
cluded data protection among fundamental human rights (see Article 8, quoted 
above). 

This does not mean, however, that the European and the US systems are mutu- 
ally opposed or absolutely irreconcilable. For instance, it is an instance of misrepre- 
sentation to simplify the picture by making Europe the domain of law and the US 
the domain of self-regulation. Indeed, it is exactly the legislative framework pro- 
vided by EU directives and national laws which is making it possible to develop self- 
regulatory codes and contractual models on a large scale. At the same time, many 
highly sensitive issues and topics are being dealt with in the USA by means of legis- 
lative tools, as shown by the many laws passed in the US at the State level and 
by the Executive Order issued by Clinton on 8 February 2000 to prohibit the use 
of genetic data for federal employees. 

The implementation of the Directive in other EU countries 

The Directive has been implemented in 11 out of the 15 EU Member States. The 
deadline for implementation was October 1998 and of course, as in many other pol- 
icy areas, the European Commission has started an infringement procedure against 
the four Member States that have not yet notified the implementing measures 
(France, Germany, Ireland and Luxembourg). It is the Commission’s duty, and I 
strongly hope that this will help in completing the implementing process. However, 
if we consider both the “core principles” of data protection and the creation of Super- 
visory Authorities, I would say that almost all Member States are now in line with 
the “fundamentals” of the Directive (please, don’t ask me to name the one or two 
countries that may still make an exception). 

Germany and France are, for different reasons, in a similar paradox: they are late 
in passing the implementing measures; however, their data protection legislation is 
sound and belongs to the best established in Europe (the two were the main source 
of inspiration of the European Directive). According to some observers, this paradox 
shows that “adapting” old laws may prove harder than passing a brand new law, 
but the case of Germany is certainly made more complex by the Federal structure 
of the State, that implies several levels of discussion. 

The Netherlands seem to have experienced one of the most interesting parliamen- 
tary debates. As far as I understand, this was prompted by a major initiative aimed 
at excluding the private sector from the “jurisdiction” of the Data Protection Author- 
ity: roughly speaking, the business community argued that they would feel more 
comfortable with the powers of self-disciplinary bodies, and they found sympathetic 
ears in the Dutch Parliament; an amendment to this purpose was tabled, but the 
Dutch Government found that it may have been incompatible with the Directive, 
and the idea was finally rejected. 

The provisions of the Directive with regard to transborder data flows 

A prominent feature of the EU approach, if compared to the US privacy debate, 
is that the Directive provides with a single framework which applies irrespective of 
the business sector concerned, and regardless of the nature of the data controller 
(public or private body), although some broad exceptions are allowed. 

In the recent past, some observers have argued that, since the Directive had been 
drafted at the time of mainframe computers, its provisions would be outdated in the 
Internet era. The experience gained in the meantime points to the opposite conclu- 
sion: all the core principles established by the directive, such as the right of access, 
rectification, deletion and the right to damages are drafted in a way that copes with 
technology developments, and they work properly irrespective of the technology used 
to process personal data. 

Incidentally, a similar debate took place with regard to the OECD Privacy Guide- 
lines, that are based on the same core principles. At the end, as you know, the ap- 
plicability of the OECD Guidelines to electronic commerce was reaffirmed by the 
Ministerial Conference held in Ottawa in 1998, although the Guidelines are much 
“older” than the Directive (OECD Guidelines: 1980, EU Directive: 1995!). 

Of course, the Internet revolution carries its lot of new challenges, but these nor- 
mally concern the issues of applicable law and jurisdiction, rather than the content 
of the substantive rules, and this is the same kind of problems that does arise in 
many other areas of Law. 
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To be concrete, may I give you one example: which law applies to the online collec- 
tion of personal data from individuals of country “A” by a company established in 
country “B” using a server located in country “C”? 

When the countries concerned are within the European Union, the answer is sim- 
ple: the law of Member State “B”, that is the country in which the company is estab- 
lished. In my opinion, this solution is well balanced: 

• on the one hand, it allows data controllers to comply with one single set of rules 

(instead of 15 or more), and this is very business-friendly; 

• on the other hand, it protects citizens from the possible circumvention of their 

rights: using a server located in a third country would be an easy route to cir- 
cumvention, but what matters for the Directive is the country in which the eco- 
nomic activity of the controller is located. 

This approach makes sense, as all Member States share the same values and are 
legally bound by the same “core” principles, enshrined in the Directive. Of course, 
the above applies only insofar as the data controller is established in a EU Member 
State: where this is not the case, the issue is far more complex. If the data controller 
is established in a country witb “no rules” on data protection, the same approach 
would result in the absolute lack of guarantees for the data subject, whose personal 
data could be processed without any restriction. 

In my opinion, there is therefore a case for an International instrument on data 
protection, as recently stressed in the “Venice declaration” by all the colleagues con- 
vened at the 22nd International Conference on Privacy and Data Protection. 

However, in the absence of an international instrument, the Directive has estab- 
lished two very important safeguards: 

1. By requiring that Member States apply the Directive where the data controller 

is established in a third country but processes personal data using equipment 
located in the EU territory (Article 4c); 

2. By the well known “Article 25”, that prompted a number of alarming articles in 

the US press, warning against what was called “the Great Wall of Europe”: ac- 
cording to this provision, personal data can be transferred from the EU to third 
countries only if the receiving country ensures an “adequate” level of data pro- 
tection. Until now, only Canada, Switzerland and Hungary have met the “ade- 
quacy test” in the judgement of the Article 29 Working Party. 

I agree that Article 25 sounds like a bold provision. However, to be understood, 
this general rule must be read together with the many exceptions established by Ar- 
ticle 26, which allow a significant degree of flexibility (examples: the data transfer 
is allowed if the individual has given his unambiguous consent, or where necessary 
for the performance of a contract with the data subject, or to protect his vital inter- 
ests, and so on). In addition, data transfers can also take place where the controller 
adduces appropriate safeguards, that can be offered by way of contractual provi- 
sions. 

As you probably know, standard contractual clauses have been drafted by the 
Commission Services and have received the positive Opinion of the Data Protection 
(“Article 29”) Working Party. In my opinion, such clauses are crucial in ensuring 
transborder data flows, because many companies make business on a global scale 
and because data flows from the EU are not limited to the US. These clauses, when 
adopted, will not be mandatory but if companies choose to use them, they will be 
able to cut out most of the administrative loops which the contractual route other- 
wise requires. 

The Safe Harbor 

The Safe Harbor is living proof that the Directive allows significant flexibility. In 
finding that the SH offers adequate protection, the European Commission may have 
gone beyond the letter of Article 25, which refers to “domestic law” or international 
commitments, and has accepted a set of rules that are proposed to US companies 
on a voluntary basis, but I will not re-open that debate: all that I want to stress, 
is that on the European side there has been a lot of good will. 

I understand that, until now, only twenty five US organisations have adhered to 
the Safe Harbor, and it is to be hoped that their number will increase, after all the 
commendable efforts that were deployed on both sides to secure the deal. 

Mr Chairman, Honourable Members, thank you for giving me the opportunity to 
testify. May I conclude with my very best wishes for your future discussions, which 
are crucial for the democratic values that we share. 

Mr. Stearns. Thank you, Professor Rodota. 

We are going to recess now. We have possibly two votes on the 
House floor. 
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So, Mr. Smith, we will reconvene after we come back, and we ask 
for your patience. 

And I think with the two votes it will be difficult to set a time, 
because I think one of them is an adjournment vote. So we will re- 
convene probably perhaps in about 20 minutes, 25 minutes. 

[Brief recess.] 

Mr. Stearns. The Subcommittee on Commerce, Trade, and Con- 
sumer Protection will reconvene. 

And, Mr. Smith, thank you for your patience, and we look for- 
ward to your opening statement. 

I say to my colleagues, we are giving each of these gentlemen 10 
minutes, instead of the customary 5 minutes, because of the dis- 
tance they have traveled and also as a courtesy so that we can 
really have an impact from all of their feelings on this issue. 

So, Mr. Smith, you have the floor for an opening statement. 

STATEMENT OF DAVID SMITH 

Mr. Smith. Thank you very much, Chairman, and thank you for 
allowing me some extra time. 

I am David Smith, Assistant Information Commissioner from the 
United Kingdom. I work for Elizabeth Franz, the UK’s Information 
Commissioner, recently renamed Information Commissioner to re- 
flect duties she has under the UK’s new Freedom of Information 
Act. She was formerly Data Protection Commissioner. She con- 
tinues as the UK’s independent supervisory authority, and it is in 
that role that I am here and I will talk. 

So I can’t act as a representative either of the European Commis- 
sion or even of the UK government. I am a representative of the 
UK’s independent supervisory authority. 

I won’t go through my testimony in great detail. I am happy to 
answer questions in relation to it. I will just highlight one or two 
points. 

It starts with the origins of data protection law, particularly in 
the UK. And as Professor Rodota said, we do see data protection 
law as an aspect of human rights, individuals’ rights to have some 
knowledge of the information that is kept and used about them, a 
right to some control over who has access to that information, and 
how they use it, and some safeguards and rules that we know busi- 
nesses that keep that information will abide by. 

That is exemplified in Europe in the Council of Europe Conven- 
tion on Data Protection, which is at the root of all European data 
protection law, including the UK’s law. But it bears some similar- 
ities to the OECD privacy guidelines with which you may be famil- 
iar. 

But when data protection started, certainly in the UK, it was not 
only about human rights that was behind government thinking. It 
was also about building people’s trust in business, going back some 
time in the use of computers at that time, but say, “Here is the law 
to protect you. You can trust businesses that computerize informa- 
tion.” And that does have some relevance in the world of e-com- 
merce that we are now in. 

The EU Data Protection Directive is designed to harmonize Euro- 
pean laws and to remove barriers to the flow of information within 
Europe. It essentially takes the Council of Europe Convention fur- 
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ther, makes it a mandatory requirement, and modifies it in relation 
to EU member states. 

In addition to the general Data Protection Directive to which the 
attention is focused on, there is a Data Protection Directive specifi- 
cally focusing on the telecommunications section, which adds to the 
general directive. And there is even some suggestion now, although 
nothing firmly proposed, that there will be one relating to the em- 
ployment sector. 

The UK Act implements the European directive. The Act sets out 
the scope of the law. It applies not only to automated computerized 
records. It also applies to structured manual records. It works on 
the basis of criteria for processing. 

In order to keep — use information about individuals, a business 
has to meet certain criteria, which in general are not especially dif- 
ficult to meet but are more onerous where the information falls 
into the category of sensitive data, into particular categories there. 

The law gives individuals rights such as the right of access to 
their information and the right to compensation if the information 
is misused. And it sets out standards that data controllers, busi- 
nesses, must follow called the Data Protection Principles, which 
cover the requirement to fairly process information to keep the in- 
formation secure, and so forth. 

One of those principles relates to international transfers, and the 
testimony I have provided talks about the meaning of adequacy in 
terms of only transferring data to countries outside Europe that 
provide adequate protection. 

What is actually meant by “adequacy”? It doesn’t necessarily re- 
quire data protection law. It does depend on the nature of the data 
that are transferred, codes of practice, enforceable codes, and the 
like, that exist in the country involved. The testimony refers to 
community findings. Professor Rodota referred to particular coun- 
tries where there has been a finding of adequacy, and the safe har- 
bor arrangements fall into that category. 

As UK Information Commissioner, we are obliged under a com- 
munity finding to accept the safe harbor arrangements as providing 
adequacy to companies that have signed up to it. There are excep- 
tions to the requirement for adequacy where individuals have given 
their consent to the transfer of the data where the data are nec- 
essary for legal proceedings and in a number of other areas. 

And I also talk in the testimony about the role of standard con- 
tracts and the work that is going on to develop those contracts to 
govern the transfer. So a variety of arrangements under which ade- 
quacy requirements can be satisfied. 

In terms of enforcement, the UK law does not contain much in 
the way of criminal offenses and criminal penalties for breach. The 
one we place most emphasis on is that of obtaining information by 
deception. Essentially, people like private investigators who will 
contact a bank, an insurance company, a doctor, and pretend to be 
someone with authority to acquire information, and so, therefore, 
do so by deception. And we do prosecute those, and we regard that 
as a particularly important aspect of our law. 

But generally, we enforce the law through enforcement notices 
which set out requirements that businesses have to undertake to 
comply with the law to delete data to change their practices, or 
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whatever. And a failure to comply with the notice is then a crimi- 
nal matter for which we can prosecute. And individuals, under the 
law, have their own right to take action through the courts to en- 
force their rights. 

As Information Commissioner, we see our role, and, indeed, the 
law sets out our role, as not being solely or even necessarily pri- 
marily about enforcement. We are very keen to develop awareness 
amongst citizens and amongst businesses of how the law operates 
and their rights and responsibilities under it. 

We promote good practice which goes wider than simply com- 
plying with the law, and it covers conduct which is consistent with 
those requirements. And as Professor Rodota said, we also put em- 
phasis on the development of codes of practice, codes that develop 
how the law applies in the area of particular industry, particular 
activities, fields such as the use of data in employment. 

We deal with requests for assessment from individuals, individ- 
uals who ask us to assess whether the law has been complied with, 
and we make those assessments. But we have a wider strategy, 
and I will just, in conclusion, spend a moment or two on developing 
our strategy. Because, as I said, we are keen to work on the basis 
of education and encouragement, both of individuals and of busi- 
nesses. 

We take a very strong view that data protection and privacy re- 
quirements should be built in at the early stage of thinking, wheth- 
er that is the development of new business processes, new IT sys- 
tems, or the development of public policy. 

They should start with data protection in mind, and one example 
of work we are doing in that area is the development of guidelines 
for those involved in the development of IT systems on how to in- 
corporate privacy-friendly features into those systems, part of our 
work of encouragement and producing guidance. 

We also encourage self-regulation, not necessarily instead of stat- 
utory regulation but together with it. We see self-regulation, pro- 
vided this is effective and gives effective remedies to individuals, 
and there are arrangements to check that businesses comply, audit 
arrangements, and the like, as being the best way of providing 
remedies for individuals and enforcing data protection day to day. 

And we are supporting and actively working with the develop- 
ment of alternative dispute resolutions as a better method than in- 
dividuals either taking their cases through the court or our office 
necessarily seeking to resolve them for them. 

We also promote good business practice. We are encouraged by 
some developments, particularly in the e-commerce field, where 
businesses are increasingly positioning themselves for privacy, not 
necessarily because they see that as a way of meeting regulatory 
requirements, but because it is what they see as necessary to at- 
tract and retain customers, permission marketing, giving the cus- 
tomer choice, and the like. 

And we encourage that, because the more that data protection 
flows out of good businesses practice than is seen as a simple addi- 
tional regulatory burden, the more satisfactory and the more effec- 
tive it will be. 

And, last, we do seek to influence law makers as well in the UK 
and elsewhere to develop better protection for the privacy rights of 
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individuals, but to do so without imposing disproportionate burdens 
on businesses. 

So I hope, Chairman, that is an introduction to our work and has 
been useful to you. Thank you for giving me the time. I am happy 
to answer any questions or provide further information if that 
would be helpful. 

[The prepared statement of David Smith follows:] 

Prepared Statement of David Smith, Assistant Commissioner, Office of the 
United Kingdom Information Commissioner 

summary 

This testimony is intended to be informative. It is submitted on behalf of the UK 
Information Commissioner who is the independent supervisory authority appointed 
under the Data Protection Act 1998. The views expressed are those of the Commis- 
sioner and do not necessarily represent the position of either the European Commis- 
sion or the UK Government. 

The testimony covers: 

• The Origins of Data Protection in Europe; The 1981 Council of Europe Conven- 

tion, the objectives of Data Protection law and the thinking behind the UK’s 
Data Protection Act 1984. 

• The EU Data Protection Directives: The reasons for the general Directive, the 

timescale for its implementation and the related Telecommunications Data Pro- 
tection Directive. 

• The UK Data Protection Act 1998: The scope and application of the law, criteria 

for processing, sensitive data rules, other general provisions, individual rights 
and the standards to be followed by data controllers (the Data Protection Prin- 
ciples) 

• Transfers of Personal Data to Third Countries: What is meant by an “adequate 

level of protection”, Community findings and exceptions to the requirement for 
adequacy including the role of standard contracts. 

• Enforcement: Criminal offences under the Data Protection Act, obtaining personal 

information by deception, enforcement of the Principles, information notices and 
the rights of individuals to take proceedings through the courts. 

• The Information Commissioner: The Commissioner’s functions under the Data 

Protection Act, the role and development of codes of practice, her duty to make 
assessments as to whether it is likely or unlikely that the Act’s requirements 
have been met, her strategy in promoting compliance with the Act and more 
widely promoting respect for privacy and personal information both nationally 
and internationally, some activities she is involved in and some comments she 
has made in relation to possible revision of the legal framework. 

ORIGINS OF DATA PROTECTION 

European Data Protection law has its roots in thinking in the 1970s which led 
to the 1980 OECD Privacy Guidelines 1 and to the 1981 Council of Europe Data Pro- 
tection Convention (Convention 108) 2 . It is Convention 108 that formed the basis 
for the UK and many other European Data Protection laws prior to the Directive 
and which is now reflected in the provisions of the Directive itself. 

Article 1 of Convention 108 sets out the objective. 

“The purpose of this convention is to secure . . . for every individual . . . respect for 
his rights and fundamental freedoms, and in particular his right to privacy, 
with regard to automatic processing of personal data relating to him”. 

At its simplest, Data Protection law delivers this objective through three strands: 
knowledge: The right of the individual to be informed what personal information 
is kept, by whom and how it is used and the right of access to the information, 
control: some control by the individual over what information is kept and how it 
is used. 

safeguards: safeguards to ensure appropriate confidentiality, availability, integrity 
and security of personal information. 


1 Organisation for Economic Co-operation and Development, Guidelines Governing the Protec- 
tion of Privacy and Transsborder Flows of Personal Data, Paris 1980. 

2 Council of Europe Convention for the Protection of Individuals with regard to Automatic 
Processing of Personal Data, European Treaty Series 108, Strasbourg 1981. 
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The human rights approach to Data Protection is clear. It is founded in the right 
to respect for one’s private life. However this was not the only thinking behind ei- 
ther Convention 108 and the UK’s Data Protection Act 1984 or the OECD Privacy 
Guidelines. There were two other strands, both of which are particularly relevant 
in the context of the development of electronic commerce and global markets. First 
there was the fear of technology, whether real or imagined. Evidence suggested that 
individuals were reluctant to trust their information to computers and there was 
anxiety that this lack of trust would stifle the development of technology in busi- 
ness. Legal protection was seen as a way of reassuring individuals. 

Second was the question of transborder data flows. Fears that the lack of an inter- 
national instrument would lead to restrictions on transfer by those countries with 
domestic law were an important factor. In the UK, the Government’s reasons for 
promoting Data Protection legislation were given by the then Home Secretary in the 
House of Commons on 30th January 1984. 

“first . . . reassure people that . . . there are special safeguards for individual pri- 
vacy . . . 

secondly . . . membership of the European Data Protection club ... a very impor- 
tant commercial interest . . . British firms not placed at a disadvantage . . .” 

Although Data Protection law can be seen as a means to facilitate international 
trade rather than as a trade barrier it has never sought to achieve this by allowing 
an unrestricted flow of personal data from those countries that adopt protective 
measures to those that do not. The UK’s Data Protection Act 1984 included provi- 
sion for transfer prohibition notices. Although used rarely this enabled the then 
Data Protection Registrar to stop the transfer of personal data to a country that was 
not bound by Convention 108, if the transfer was likely to lead to a contravention 
of the Act. 


THE EU DATA PROTECTION DIRECTIVES 

Not all member states of the European Union chose to be party to Convention 
108. Those that did used the freedom it allowed to adopt domestic laws that varied 
significantly. As part of the development of an internal market within the European 
Union and to facilitate what was seen as a necessary and substantial increase in 
cross-border flows of personal data, the EU General Data Protection Directive 3 was 
adopted on 24 October 1995. Member states have no choice but to implement it in 
their domestic law. There is still scope for variation in its interpretation and appli- 
cation but this is much less that is the case with Convention 108. 

The EU Directive takes familiar themes forward. It clearly states as its two ob- 
jects: 

• “. . . member states shall protect the fundamental rights and freedoms of natural 

persons, and in particular their right to privacy with respect to the processing 
of personal data” 

• “. . . member states shall neither restrict nor prohibit the free flow of personal data 

between member states . . 

The Directive took several years to agree. It is necessarily a compromise between 
the cultures, existing laws and aspirations of different member states. To comply 
with the Directive, member states should have had domestic law in place within 
three years of its adoption ie, by 24th October 1998. The UK law came into force 
on 1st March 2000. The Directive allows a transitional period for “processing al- 
ready under way” at 24th October 1998. For most processing this transitional period 
will run out on 24th October 2001. 

In addition to the general Directive referred to above there is a related Directive 
addressing Data Protection in the Telecommunications Sector 4 The intention of this 
directive is to particularise and complement the provisions of the general Directive 
as they apply in the this sector. 

THE UK DATA PROTECTION ACT 1998 

The general Data Protection Directive is given effect in the UK by the Data Pro- 
tection Act 1998. There are separate provisions implementing the Telecommuni- 
cations Directive. 


3 Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995 on 
the protection of individuals with regard to the processing of personal data and on the free 
movement of such data. Official Journal of the European Communities L 281, Vol. 38, 23rd No- 
vember 1995, ISSN 0378-6978. 

4 Directive 97/66/EC of the European Parliament and of the Council of 15th December 1997. 
Concerning the Processing of personal data and the protection of privacy in the telecommuni- 
cations sector. 
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General Provisions 

Scope: The Act applies to the processing of personal data. “Personal data” is infor- 
mation that relates to a living, identifiable individual. It includes information held 
not only in automated systems but also in structured manual records referred to in 
UK law as a “relevant filing system”. “Processing” is defined widely and includes 
any operations performed on personal data from collection through to deletion. 

Application: The Act regulates the activities of data controllers. That is persons 
who determine the purposes for which and manner in which personal data are proc- 
essed. It applies to data controllers who are: 

• established in the UK provided the data are processed in the context of the UK 

establishment even if the processing actually takes place elsewhere. 

• not established on the territory of the UK or another member state but make use 

of equipment in the UK for processing. 

Criteria for Processing: Before personal data can be processed, one of the following 
criteria must be satisfied: 

• the data subject has consented; 

• the processing is necessary for performance of a contract involving the data sub- 

ject or for pre-contractual steps; 

• the processing is necessary for compliance with a legal obligations; 

• the processing is necessary to protect the vital interests of the data subjects; 

• the processing is necessarily carried out in the public interest; 

• the processing is necessary for legitimate interests pursued by the controller ex- 

cept where these are overridden by the need to protect the rights and freedoms 
of the data subject. 

The Information Commissioner takes the view that regardless of whether any of 
the other criteria are also satisfied, legitimate business activities should generally 
be able to rely on the last of the above. 

Sensitive Data: Where sensitive data are processed, one of an additional list of 
criteria must also be satisfied. Sensitive data are defined as those that consist of 
information as to racial or ethnic origin, political opinions, religious or philosophical 
beliefs, trade union membership, health, sex life and criminal offences. The list of 
criteria for processing sensitive data is restrictive. In very many cases the data sub- 
jects’ explicit consent is required before such data are processed. 

Notification: Data controllers are required to notify the supervisory authority of 
their processing operations for inclusion in a public register. Some exemptions exist. 
There is a fee for notification of £35 (approximately $50) per year. This indirectly 
funds the Information Commissioner’s office. 

Supervisory Authority: The Information Commissioner is the independent public 
supervisory authority with appropriate powers of investigation and intervention to 
monitor compliance with the law and hear claims lodged by individuals. 

International Co-operation: Arrangements for co-operation between supervisory 
authorities in member states and the EU Commission are established. These in- 
clude a working party of representatives of supervisory authorities (Article 29 Work- 
ing Party). 

Individual Rights 

Access: Individuals have a right to know whether or not a data controller is proc- 
essing data about them, a right of access to such data and a right to any available 
information as to their source. There are some limited exemptions from this right. 
A fee of up to £10 (approximately $15) can be charged and there are up to 40 days 
to respond. There is also a right to knowledge of the logic of any automated decision 
taking that the individual is subject to. 

Correction/Deletion: There is a right to rectification, erasure or blocking of data 
which are incomplete or inaccurate. 

Prevent Processing: Individuals have a right to object to the processing of per- 
sonal data about them: 

• where the processing causes substantial damage or substantial distress to an indi- 

vidual and that damage or distress in unwarranted or; 

• where the processing is for direct marketing. 

This right is further developed in the regulations implementing the Telecommuni- 
cations DP Directive. Data subjects have a right to opt out of the receipt of unsolic- 
ited marketing calls through the telephone preference service and must not be sent 
marketing faxes without their consent 

Automated Decisions: There is a right not to be subject to decisions that are taken 
solely by automated means and have a significant effect on the individual, for exam- 
ple in connection with assessing creditworthiness. A decision can be taken in the 



20 


course of entering a contract provided there are safeguards such as a right of ap- 
peal. 

Request Assessment: The supervisory authority is required to hear claims lodged 
by any person concerning the processing of their personal data. 

Compensation: Any person who suffers damage and associated distress as a result 
of a breach of the Act is entitled to compensation from the data controller. Claims 
must be pursued through the courts. 

Data Protection Principles 

These set out standards to be followed by data controllers in their processing of 
personal data. 

Fair and Lawful Processing: As well as meeting the criteria for processing re- 
ferred to above data controllers must process personal data in a way that is fair 
to individuals and does not lead to breaches of the law. In particular, to make proc- 
essing fair, individuals should be made aware who is holding their data, the pur- 
poses of the processing and any other information necessary to make the processing 
fair such as the recipients or categories of recipients of the data. This obligation ap- 
plies even where the data have not been obtained directly from the data subject, 
for example where they have been obtained from a credit bureau, unless providing 
the information would involve disproportionate effort. 

Limitation of Purpose: Personal data must be collected for specific and lawful pur- 
poses and not processed in a way that is incompatible with those purposes. 

Data Quality: Personal data must be: 

• adequate, relevant and not excessive for the purpose for which they are collected; 

• accurate and, where necessary, kept up to date; 

• kept no longer than necessary. 

Security: Data controllers must have appropriate technical and organisational 
measures in place to protect personal data. Where a data controller uses a processor 
to process data on its behalf there must be a contract in place tying the processor 
to only using the data in accordance with the controller’s instructions and placing 
security obligations on the processor. 

International Transfers: Transfers of personal data to countries outside the Euro- 
pean Economic Area, so called “third countries”, are only allowed if the country pro- 
vides an adequate level of protection for the data. There are some exemptions that 
allow transfers to take place in circumstances where adequacy is not achieved. 

TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES 


Adequacy 

Whether a country provides an adequate level of protection for personal data does 
not depend solely on whether the country has a Data Protection law. The Act makes 
it clear that other factors must be taken into account including the nature of the 
data, purposes and duration of processing, the legal framework, codes of conduct or 
other enforceable rules and security measures. It is perfectly possible for example 
that a country might be considered adequate for the transfer of names and address- 
es on a mailing list but not for the transfer of medical records. The existence and 
effectiveness of any system of self-regulation is an important factor in assessing ade- 
quacy. 

The Act gives effect to “Community findings”. These are decisions of the European 
Commission that the level of protection in a third country is or is not adequate. 
There have been Community findings in relation to Switzerland and Hungary as 
well as the US safe habor arrangements. Several other countries are under consider- 
ation. 

Exceptions 

In limited circumstances transfers of personal data to third countries can take 
place even though adequacy has not been established. These are where: 

• the data subject has consented to the transfer; 

• the transfer is necessary for performance of a contract involving the data subject 

or in the interests of the data subject or for pre-contractual steps; 

• the transfer is necessary for the reasons of substantial public interest; 

• the transfer is necessary for legal proceedings, obtaining legal advice or otherwise 

for the establishment, exercise or defence of legal rights; 

• the transfer is necessary to protect the vital interests of the data subject; 

• the transfer is part of the information in a public register. 

In addition transfers can be made on the basis of a contract between a UK data 
exporter and a data importer in a third country which is of a type approved by the 
Commissioner. The Commissioner also has the power to authorise particular trans- 
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fers on the grounds that they are made in such a manner as to ensure adequacy. 
The Commissioner has not yet given approval to any standard contract terms. She 
is awaiting the outcome of work the European Commission is undertaken to develop 
such terms which will then be subject to a Community finding. 

ENFORCEMENT 

In the UK, breaches of the Data Protection Act 1998 are mostly not criminal 
offences. The criminal offences are largely confined to failure to notify the Commis- 
sioner of processing operations requiring notification and knowingly or recklessly, 
without the consent of the data controller, disclosing or obtaining personal data. 
Within this the Commissioner places particular importance on using her powers to 
prosecute those who seek to obtain personal information, to which they are entitled, 
by deception. 

Where there is a breach of one of the principles, the Commissioner can issue an 
enforcement notice requiring the data controller to take action to bring about com- 
pliance, for example, to delete data. Failure to comply with a notice is then a crimi- 
nal offence. There is no power to “punish” a data controller for a breach of prin- 
ciples. 

The Commissioner also has a power to issue an information notice requiring a 
data controller to provide her with information needed to determine whether there 
has been a breach of the Act. There is a right of appeal to an independent tribunal 
against enforcement or information notices. Where she has reasonable grounds for 
suspecting a breach of the Act she can apply to a court for a search warrant in order 
to obtain evidence. 

In addition individuals can take their own cases to court. They can ask the court 
to: 

• order a data controller to uphold their right of access, right to prevent processing 

and rights in relation to automated decisions; 

• order a data controller to rectify, block, erase or destroy inaccurate data. 

THE INFORMATION COMMISSIONER 

The former Data Protection Commissioner has recently been renamed “Informa- 
tion Commissioner”. This reflects additional responsibilities for oversight of the 
UK’s new Freedom of Information Act. This testimony only addresses her respon- 
sibilities under the Data Protection Act 1998. She operates through an office with 
around 115 staff and a budget of £4.5 million ($7 million). 

Duties 

In addition to enforcement and maintenance of the public register of notifications 
the Commissioners functions under the Act include: 

• promotion of good practice which is such practice in the processing of personal 

data as appears to the Commissioner to be desirable having regard to the inter- 
ests of data subjects and others and includes (but is not limited to) compliance 
with the requirements of the Act; 

• dissemination of information and the provision of advice to individuals and data 

controllers about the operation of the Act, good practice etc; 

• assessing, with the consent of the data controller, any processing of personal data 

for the following of good practice (an audit function). 

• presentation of an annual report and, when she sees fit, other reports to Par- 

liament; 

• provision of assistance to individuals taking action through the courts in relation 

to the processing of personal data for journalism or for artistic or literary pur- 
poses; 

• preparation and dissemination of codes of practice; 

• determination of requests for assessment. 

Codes of Practice 

The Commissioner is required, after consultation, to prepare and disseminate 
codes of practice for guidance as to good practice either where she is directed by 
the Government to do so or where she considers it appropriate. Such codes explain 
the Commissioner’s view of how compliance with the requirements of the Act should 
be achieved in practice in a particular field of business or activity. She can also en- 
courage trade associations to prepare codes. 

A code of practice has been issued on the use of closed circuit television in public 
places. Consultation has recently been completed on the draft of a code on the use 
of personal data in employer/employee relationships. The Commissioner places con- 
siderable emphasis on the development of codes of practice under the Act. She be- 
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lieves they have an important role in translating the necessarily general require- 
ments of the Act itself into meaningful standards that can be readily applied in the 
context that they address. 

Requests for Assessment 

A request may be made to the Commissioner by a person directly affected for an 
assessment as to whether it is likely or unlikely that any processing has been car- 
ried out in accordance with the Act. Subject to some limitations the Commissioner 
is required to make an assessment and inform the person of the result. This re- 
places her duty under the Act’s predecessor to consider complaints. In some cases 
requests for assessment may lead to enforcement action. 

Around 5,000 cases are handled each year. Roughly half of these require some 
form of investigation. The others are dealt with by the provision of information or 
advice. Around 65% of cases reveal a breach of the Act. The two largest categories 
of cases in 1999/2000 were consumer credit (including credit reporting) — 31% and 
direct marketing — 18%. 

Strategy 

The Commissioner sees her role as wider than simply undertaking the specific 
functions given to her in the Act. Her mission statement commits her to promoting 
respect for the private lives of individuals and in particular for the privacy of their 
information by: 

• implementing the Data Protection Act 1998 and; 

• influencing national and international thinking on privacy and personal informa- 

tion. 

She is concerned to ensure that data protection and privacy issues are identified 
and addressed at the inception of new laws, processes and systems. It is central to 
this that; 

• those who handle information both in the public sector and in the private sector 

are aware of their obligations and act accordingly; 

• data protection emerges as a feature of good business practice and is seen as a 

necessity for recruiting and retaining customers rather than as a regulatory 
burden; 

• policy makers, particularly at governmental level give appropriate weight to indi- 

viduals’ privacy rights in the development of new legislation, international in- 
struments, public policy and the delivery of services. 

In addition the Commissioner seeks to develop a climate in which individuals are 
aware of their rights in relation to their information and feel confident that these 
rights are respected and can be exercised. 

Some specific activities that the Commissioner is or has recently been involved 
in include: 

• implementation of a national advertising campaign related to individuals’ rights; 

• development of education packs for use in schools; 

• supporting the development of data protection qualifications and the incorporation 

of data protection material in other relevant syllabuses; 

• preparation of guidance and materials to assist data controllers with compliance 

eg a data protection audit manual; 

• encouraging the work of national and international standards bodies on data pro- 

tection; 

• development of design notes for systems developers to ensure that privacy protec- 

tion is incorporated in standard design methodologies; 

• promotion of a debate on current data protection and privacy issues through con- 

ferences/ seminars ; 

• encouraging effective self regulatory initiatives that can operate within the legis- 

lative framework particularly in connection with e-commerce; 

• supporting the development and use of alternative dispute resolution procedures 

for handling data protection complaints. 

Recently the Commissioner has been invited to contribute to the UK Govern- 
ment’s appraisal of the UK’s new data protection regime. This has been conducted 
partly with an eye to the review of the EU Directive due by 24th October 2001. 
Many of the points raised in her submission are matters of detail but she draws 
attention to some areas where, in her view, the law imposes burdens on data con- 
trollers that are out of proportion to the benefit, if any, that they bring to individ- 
uals. These include: 

• the application of the law to situations where a data controller is not established 

in the UK but nevertheless uses equipment in the UK for processing; 
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• the concept of special or sensitive categories of data rather a recognition that it 

is the circumstances in which personal data are processed that make them sen- 
sitive; 

• the provisions on automated decisions; 

• the extent of the notification obligation on data controllers; 

• the emphasis placed in the provisions governing transfers to third countries on 

centralised decision making rather than leaving decisions and arrangements on 
adequacy to data controllers, in the first instance. 

In addition the Commissioner has commented on some areas in which she con- 
siders the law could better protect individuals. These include: 

• the lack of a right to compensation for distress caused by a breach of the Act 

when there is no associated damage; 

• the restriction on her right to assess a data controller’s processing of personal 

data for the following of good practice which means that she can only do so with 
their consent; 

• the lack of a power to impose a penalty rather than merely ensure compliance 

where a data controller knowingly or recklessly breaches the Data Protection 
Principles. 


FURTHER INFORMATION 

The Commissioner would be pleased to supply further relevant information that 
the Sub-Committee might require. 

Mr. Stearns. Well, I thank you, Mr. Smith. 

I will start with the questions here. Let me say to my colleagues, 
if you have a business in Europe, and you want to use the internet 
to send out information back to the home company in the United 
States, you have an option of complying with the European Union’s 
privacy provisions, or you have an option of the safe harbor agree- 
ment that was worked out between the administration and the Eu- 
ropean Union. 

Only 20 corporations, less than 20 corporations, have signed up 
for the safe harbor agreement, because it doesn’t appear, at least 
from an American standpoint, to be practical. So a third alternative 
for you, if you are in Europe and you are doing business, and you 
want to send back information and do everything, is what is called 
a model contract. 

And so the gentleman we have here, my colleagues, is head of 
what is called the Article 29 Working Party, which is all of the Eu- 
ropean Union representatives come together and talk about how 
they are going to develop these model contracts. 

So the first question I would like to have for Professor Rodota is, 
what are the key terms spelled out in these model contracts? Do 
U.S. companies have any room to negotiate the provisions? If so, 
with whom do they negotiate? The company wishing to transfer 
data or a privacy commissioner? Do you understand that, or is the 
question clear? 

I think we need to know for American corporations, what are the 
key terms of the model contracts? Who do they negotiate, the com- 
pany, or do they have to come to you as part of the privacy commis- 
sioner? 

Mr. Rodota. No. No. The companies does not have to come to the 
Data Protection Authority. Now the standard contractual clauses 
have been approved by our group, and now they are on the way to 
be approved by the Commission. 

So when this kind of model contracts will be approved, both par- 
ties — the exporter and the importer, the European part and the 
U.S. or the third country part, can pass a contract without an 
intervention of the Data Protection Authority at the European 
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level, because it means that they are using a contract sealed by the 
European Commission. 

So if they respect the terms of the contract, they have a mecha- 
nism, an instrument, giving them the opportunity to comply with 
the adequacy test. This is a traditional contract. Yes, I don’t know 
if my answer 

Mr. Stearns. Can they negotiate terms? 

Mr. Rodota. Partly. Partly. 

Mr. Stearns. Partly. 

Mr. Rodota. You have the model contract, a model contract, the 
possibility to choose some options, yes, especially on the side of the 
enforcement, because you can have the possibility of — I have here 
the text of the — yes, the model contract. 

You have the possibility to, for instance, in the part of the obliga- 
tion, to choose the legislation of reference, the different — the medi- 
ation and jurisdiction for possibility for solving the conflicts. So 
they are part — they cannot make us see it — the part referring to 
basic principles of the directive. And other parts parties can have 
the possibility to choose. 

Mr. Stearns. Mr. Smith, your testimony states that the Office 
of Information Commissioner has “appropriate powers of investiga- 
tion and intervention to monitor compliance with the law.” Could 
you explain the limits of those powers? Could you please provide 
us with any examples of the application of said powers the Infor- 
mation Commissioner has taken to date for possible violation of the 
law? 

Mr. Smith. Yes, Chairman. There are certain criminal offenses, 
as I mentioned, under the Act — obtaining information by deception. 
We have prosecuted a number of organizations and individuals for 
that. We also prosecute for failing to be registered or notified with 
our authority. 

Where there are more matters that require investigation, wheth- 
er they are criminal matters or breaches of the Data Protection 
Principles, we have powers to obtain search warrants, and we go 
before the court and obtain a search warrant to obtain evidence, 
and we have done that on several occasions. 

We also, under the new law, have a power to issue information 
notices which require businesses to answer questions which are 
necessary for our investigation. We have yet to use that, because 
this has only just come into being. And our powers then are — for 
general breaches of the Act are to issue enforcement notices, which 
require a business to change its practice to delete data, to provide 
notice and choice, or whatever. 

We have used that on probably about a dozen occasions up to 
now and — those cases, and some of them have gone to an appeal 
tribunal, which has generally found in our favor. 

Mr. Stearns. Thank you. My time has expired. 

Mr. Towns, ranking member? 

Mr. Towns. Thank you very much, Mr. Chairman. 

Mr. Smith, has the EU or any member country taken action 
against a firm for its failure to comply with the requirements of the 
privacy directive? And, if so, has any EU firm been forced to seize 
data operations as a result of the non-compliance? 
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Mr. Smith. I can only answer in relation to the United Kingdom. 
We have taken action — because of the privacy directive, the law im- 
plementing that has only very recently come into force. The action 
we have taken under that, although there have been — we have 
commenced proceedings, in a number of cases is limited, but our 
old law was very similar and there were cases under the old law. 

We have required businesses to stop using information in the 
way that they were using it previously, and in some cases they 
have had to change their practices significantly. One recently has 
been in relation to utility companies, which were privatized, and 
the use of information for marketing purposes fall in privatization. 
And they have had to revise significantly their practices as a result 
of our action. 

There are others I could give, but we have required changes, cer- 
tainly. 

Mr. Towns. Thank you. On that note, well, are the privacy con- 
tracts that are negotiated with foreign firms reviewed by EU offi- 
cials, or is each country’s privacy director responsible for deter- 
mining that the contracts are consistent with the privacy directive? 
I mean, who makes that decision? 

Mr. Smith. Under the UK law, which is not necessarily identical 
to the laws of every member state, there are two ways. One is the 
way Professor Rodota has described, which is that there are model 
contract clauses approved by the Commission, and when those are 
approved UK businesses are perfectly entitled, and we would en- 
courage them to use those and rely on those. 

There are also arrangements under the law where we, as Com- 
missioner, can approve model contracts or individual arrangements 
between one company and another. And at the end of the day, the 
UK law requires adequacy, and it talks about adequacy being as- 
sessed on the basis of arrangements that apply in a particular case, 
whether — including terms such as codes which apply in general or 
in a particular case. 

And a contract is an enforceable arrangement that applies in a 
particular case. So it is possible for a UK business to develop a con- 
tract with a U.S. business, which does not necessarily follow pre- 
cisely the model, if it is eventually approved by the community, 
and still ensure adequacy. 

So it is possible for contracts to be developed and to meet the re- 
quirements of the law. 

Mr. Towns. All right. Go ahead, Professor. Yes? 

Mr. Rodota. Yes. Let me describe very precisely a situation that 
can occur in all member states of the European Union. Because 
until now there are many cases in which the data protection au- 
thorities were asked by European and U.S. companies to agree 
with their contract. 

They control if they submit to the adequacy test, the contract 
submitted by both parties, and they are mostly in Germany. A very 
important contract passed by U.S. Citibank and Deutch — and the 
Deutch Railway. And in other countries like France, Spain, Italy, 
there are many cases in which until now not having some general 
rules like safe harbor, and not model contract approved at the Eu- 
ropean level, they used the possibility to ask in specific cases the 
data protection authorities. 
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This is a very well-established procedure. Not easy. Not easy. 

Mr. Towns v Right. 

Mr. Rodota. Very, very bad for the data protection authorities. 

Mr. Towns. Are these private contracts disclosed publicly? 

Mr. Rodota. Yes. They are always brought to the Data Protec- 
tion Authority. 

Mr. Towns. Well, how could I get one? How do you get a copy 
of them? How do people get copies of them? 

Mr. Stearns. He would like to get a copy himself. 

Mr. Smith. Certainly. The individual contracts would not be 
made publicly available. The only contracts which may be publicly 
available are the model which has been referred to. 

Mr. Towns. So, I mean, that is secret. Okay. Well, anyway, let 
me move on. You have been traveling a great distance. 

Let me just ask one other question, Mr. Chairman. 

There was a survey conducted by the Kearny Management Group 
which was reported in November of last year in the publication 
“Biz Report” — confirms this point. Let me quote, “E retailers world- 
wide lose $6.1 billion” — that is B as in boy — “in sales due to an 80 
percent failure rate among online purchase attempts, and that 
invasive information requests are blamed for 52 percent of sales 
that fall apart, followed by reluctance to enter credit cards, 46 per- 
cent.” Do you agree that business is paying a big price for the con- 
fidence consumer lacks in the privacy security of their online trans- 
actions? 

Mr. Smith. Yes, we would agree that there is a real problem 
there and that those businesses that recognize the true situation 
actually build privacy into their practices as a way of attracting 
and recruiting, keeping customers, rather than simply as a regu- 
latory requirement. 

Your figures are supported by a whole range of studies, and our 
perception in the UK is the same as yours. Businesses increasingly 
will — not increasingly, but we do find businesses that adopt prac- 
tices online which, in our view, are not acceptable and do not nec- 
essarily comply with the law, particularly excessive information 
gathering, requiring information as a condition of doing business 
where that is not necessary for the transaction, and failing to pro- 
vide the choice that is allowed, and operating in an underhand 
way, not giving notice of information collection practices which are 
taking place through the use of cookies and mechanisms such as 
that. 

Mr. Towns. Thank you, Mr. Smith. 

Thank you, Mr. Chairman, for your generosity. 

Mr. Stearns. The gentleman’s time has expired. 

Mr. Shimkus is recognized for 5 minutes. 

Mr. Shimkus. Thank you, Mr. Chairman. Mr. Chairman, I would 
recommend that also the OECD was mentioned in some of the 
opening statements. I had a chance to visit the OECD on the 
NATO trip. A lot of people — we don’t — a lot of us don’t know what 
that is, but we are a member. And we have an ambassador and a 
staff, and if they are doing issues on privacy we should probably 
call them to see what our response is in that organization, and I 
would be willing to help facilitate that. 

Mr. Stearns. It is a good idea to coordinate with them, too. Yes. 
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Mr. Shimkus. Because they are working in conjunction with our 
European allies, not just — Mexico is a member, Korea is a member. 
It is a pretty big international grouping of nation states. 

Mr. Smith, I would like to — you also mentioned effective rem- 
edies for individuals, dispute resolution, which implies that there 
will be some information that will be improperly used, and that in- 
dividuals will try to address redress, or get redress, which brings 
up the issue that I would like to ask on is the Investigative Powers 
Act or the RIP Act, which, again, based upon my opening state- 
ment, privacy is the utmost issue we had to debate here in our 
country on the CARNIVORE issue. 

The fact of being able to gather all of the communications, hold 
them in a bank of information for 7 years, and require people who 
are doing business to do so, I think is really a threat on privacy 
issues for our companies and individuals. 

And I would like to follow up with a question to both of you is, 
Professor Rodota, how does the EU Data Privacy Directive affect 
the RIP Act or similar laws that may pass in other EU countries? 
And how would the EU directive protect non-EU members from the 
UK government storing personal information about them? 

Mr. Smith. Perhaps if I start, and then Professor Rodota can 
take up the general European situation. 

Mr. Shimkus. Great. 

Mr. Smith. The RIP Act, the Regulation of Investigatory Powers 
Act, doesn’t actually include any measures that require or nec- 
essarily permit businesses to store data solely for — or telecommuni- 
cations providers solely to store data 

Mr. Shimkus. No. But the government stores it. 

Mr. Smith. Well, no, not under the Regulation of Investigatory 
Powers Act. The Regulation of Investigatory Powers Act only gives 
powers of interception, and we, as Commissioner, expressed views 
which weren’t necessarily taken into account in the final version. 

You are quite right that there are proposals or suggestions to re- 
tain data for investigatory purposes. They are not actually part of 
the RIP Act, and they haven’t yet been brought in. The suggestion 
of 7 years is merely in a leaked report from the National Criminal 
Intelligence Service and is by no means government policy. 

Government policy, as far as we know at the moment, is not to 
legislate in this area and to wait until international instruments 
address the matter and essentially set the standard. 

So I think there may be some misunderstanding. There is no re- 
quirement at the present time to keep traffic data for investigatory 
purposes for 7 years. We would be very much against that. If there 
is to be a period of retention at all, it should be very much shorter 
than that. And as I say, it is a matter being addressed by inter- 
national instruments, which is what Professor Rodota 

Mr. Shimkus. But if I may, before we go to the EU aspect, but 
is there — okay. If it is not a collection, is there a review of all data 
coming in, electronic, internet, or cell, or land line review, under 
the RIP Act? 

Mr. Smith. No, there isn’t. I mean, there are arrangements 
whereby interception can take place. Essentially, there are provi- 
sions. They have to be authorized by — in some cases by the Home 
Secretary, in other cases by a senior police officer or equivalent. 
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And one of our concerns when the bill was going through Par- 
liament was the level of that authorization. We asked for it to be 
higher than it is. But there is an arrangement whereby intercep- 
tion does have to be authorized on a case-by-case basis. 

Mr. Shimkus. We had this debate on the encryption debate and 
law enforcement. It got very contentious here. 

And I will finish up with, if I may, Mr. Chairman, allowing the 
Professor to finish, and that will end my time. 

Mr. Rodota. I would like only to say that this problem is now 
under discussion in Europe, because the way in which traffic data 
can be collected is under discussion in the framework of the Coun- 
cil of Europe Directive on Conventions on cyber crime. And also, 
the U.S. are part in the negotiations. 

Generally speaking, the attitude is different in different coun- 
tries. But the work — the Article 29 Working Party passed the reso- 
lution last year, very clear on this point, saying, first of all, that 
no interception can be made without an authorization by jurisdic- 
tions. And no collection, massive kind of data collection. 

This is the problem — two very important principles in the direc- 
tive are: first of all, the principle of finality; and, second, the prin- 
ciple of proportionality. We were, and we are, strongly against any 
kind of massive collection, without the specific and indicated aim. 
We are asking also for a very short period in the duration for this 
kind of collection of data. They are moving in different directions. 

For instance, the Belgium Parliament has passed, for security 
reasons, for the first time, a law saying that data can be stored for 
1 year, and that they are going beyond the indication Article 29, 
saying they were much more in favor of shortest time of conserva- 
tion. 

Mr. Stearns. The gentleman’s time has expired. 

Mr. Gordon, the gentleman from Tennessee, is recognized for 5 
minutes. 

Mr. Gordon. Mr. Shaw, if I could follow up on some comments 
you made earlier. You were talking about how individuals in the 
United Kingdom had the right to go to court, if necessary, to pro- 
tect their rights if — as individuals. Do you have what we would call 
class action lawsuits here? Do they go as an individual, or can they 
bring in large groups of individuals that they feel are in that same 
situation? 

Mr. Smith. No, the UK law, as it stands at the moment, only al- 
lows individuals to bring cases. And I think it is fair to point out 
that actually the individual’s rights are fairly limited, and that it 
only enables them in terms of getting redress, to get compensation 
for damage, which in UK legal terms involves some sort of finan- 
cially quantifiable loss. And most of the data protection breaches 
result in distress to individuals, but not necessarily a financially 
quantifiable loss. 

So I think we have been asked, as Commissioner, to express our 
views on the law, and it is one area we feel the law could be im- 
proved in providing redress for individuals. 

Mr. Gordon. So if you are a U.S. company thinking about doing 
business in Great Britain, I guess my thoughts would be, certainly, 
if I was looking at Europe at large, that although United Kingdom 
has not opted into the Euro, it would — you know, certainly, the EU 
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is trying to bring down barriers among their own countries and try- 
ing to become more productive in terms of their commerce there. 

But this is — I guess in Tennessee we would call it a little loosey- 
goosey. I mean, you know, if I am a company, and I am trying to 
do business in Italy and maybe in France, and a couple of other 
countries, under a safe harbor I would be somewhat concerned that 
maybe one country would say okay, another country maybe not. 
You know, it makes you concerned there. 

So if you are deemed not properly within the safe harbor, what 
are the penalties? What risk does an American company, Mr. 
Shaw, risk? 

Mr. Smith. If a company is not part of the safe harbor and 
transfers 

Mr. Gordon. Or tries to be, but deemed not so. 

Mr. Smith. Yes. 

Mr. Gordon. In one — say, potentially, two countries say yes, but 
another country says no. 

Mr. Smith. Yes. I mean, that is not how the safe harbor works. 
It is up to the U.S. — I believe it is through the Federal Trade Com- 
mission — to take people onto the safe harbor list. And if they are 
taken onto the list, then we and all of the other EU member states 
have to recognize them as providing adequate protection. We have 
no choice in that, and this is a common standard. 

The area where penalties would come in is if a U.S. business is 
not in a safe harbor, has made no arrangements for adequacy, has 
no contract or other arrangements, and is transferring data in 
breach of the law. And then our power would essentially be to pro- 
vide them with an order to stop them transferring that data. And 
if they failed to comply with that order, then they could be pros- 
ecuted for a criminal offense. 

Mr. Gordon. Okay. So if the FTC says that they are in compli- 
ance with safe harbor, but, again, a country in Europe disagrees 
with that, then does the FTC’s position trump it? 

Mr. Rodota. I would like to — also to go back to the first — the 
first question you raised. In Italy, we have no class actions, but 
there is the possibility, if the people make this kind of decision, to 
be assisted or to be substituted by a tribunal or organization. 

In the situation of a weakness or the part asking for the respect 
of the law, the individual can give the possibility to a group to act 
in — on behalf on its own interest. This is very interesting machin- 
ery. 

Second, the problem if this — there is the possibility that the 
same request made by a U.S. company in France or in Italy have 
different answers. It is possible that they can escape this risk using 
one or two means. There you have safe harbor or standard contrac- 
tual clauses. 

Third, if there are the possibility — if some data are transferred 
without entering the safe harbor, without having — using model 
contract, without previous authorization of the national Data Pro- 
tection Authority, they are in infringement of law, surely, for the 
national authority. 

What happens if there is a discrepancy between what the FTC 
decides and the attitude of the national Data Protection Authority? 
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That is a problem. That is a problem because we are waiting for 
the way in which the Federal Trade Commission will 

Mr. Gordon. Excuse me. We have a limited amount of time. So, 
again, so you are saying, then, that there can be a situation where 
the FTC could grant safe harbor, but an individual European coun- 
try could say, “We don’t agree with that.” Is that 

Mr. Rodota. They don’t agree with the safe harbor 

Mr. Gordon. All right. So, then 

Mr. Rodota. [continuing] with the FTC decision. 

Mr. Gordon. All right. That is not consistent, then, with what 
Mr. Shaw said, is it? And I am trying to figure out — Mr. Shaw, is 
that 

Mr. Stearns. Mr. Smith, you mean. 

Mr. Gordon. Mr. Smith. I am sorry. Excuse me. Is that — that 
sounds to be inconsistent there with your statement. Is that true 
or not? I am just trying to — I am not trying to get a fight here. I 
am just trying to find out what is going on, and then trying to see 
what level of risk our countries are taking, or our companies are 
taking. 

Mr. Smith. My understanding is that if a business is on the safe 
harbor list, we, as a supervisory authority in the UK, cannot act 
to stop transfer to that business, unless there is some breach of UK 
law taking place in the UK prior to transfer, which, you know, 
would be the same as if the transfer was to a company in France 
or even to another company in the UK. 

The only area where I believe we could take action is if the com- 
pany has failed to comply, demonstrably failed to comply with the 
safe harbor arrangements, and then the — and no action has been 
taken. But, essentially, if they are on the safe harbor list, then they 
are approved in that sense. 

Mr. Stearns. The gentleman’s time has 

Mr. Gordon. Yes. But you are still the final arbitrator of that. 

Mr. Stearns. The gentleman’s time has expired. 

Let me just, have you folks finished your answers? Yes. 

The gentleman from New Hampshire, Mr. Bass, is recognized. 
He is not here. 

Then, Mr. Doyle is recognized. 

Mr. Doyle. Thank you, Mr. Chairman. 

You were asked earlier, I believe, by Mr. Towns about the pri- 
vacy contracts and whether they were disclosed publicly, and I be- 
lieve your answer was that they weren’t, that they were private, 
is that correct? 

Mr. Smith. Yes. 

Mr. Doyle. So when a company negotiates a private contract 
with the privacy director, that is only known — the details of that 
are known between the company and the privacy director. Yet 
when companies go the safe harbor route, the details of that agree- 
ment are posted on the internet and are publicly disclosed for all 
to see. 

Do you think maybe that explains why so few companies go the 
safe harbor route? Wouldn’t it be smarter for them to make their 
arrangements with the privacy director in private without disclo- 
sure? How does one police — you know, if the contracts are private, 
you know, how does one know what agreements are being made in 
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private between the companies and the privacy director, as opposed 
to companies that go the safe harbor route and disclose everything? 

Mr. Rodota. That is a matter of the politics of each company. 
But generally speaking, I think that entering safe harbor means 
the company can transfer data by European partners without any 
specific and case-by-case procedure. Otherwise, in any case and for 
every counterpart you have in Europe you must engage a specific 
procedure before the national Data Protection Authority. 

I think that the economy of means may be balanced by the lim- 
ited publicity of 

Mr. Doyle. So if you are dealing in multiple countries, you would 
have to get a separate contract in each one of these countries. And 
that hassle, or, you know, whatever that would entail is out- 
weighed by the disclosure. 

Mr. Smith, do you agree with that? 

Mr. Smith. Yes. 

Mr. Doyle. Let me ask you another question. Do you think the 
European Union privacy directive, do you think it was a reactive 
initiative and measure? That is, that European industries weren’t 
practicing self-regulation and the government needed to step in 
and put an extra level of protection, or do you simply see it as 
something that complemented what industry in Europe was doing? 

Mr. Smith. Yes. I think the thinking behind the directive was 
from a slightly different perspective. It was essentially seen as the 
development of the single market within Europe. And in order to 
remove the possibility of, say, the UK businesses not being allowed 
to transfer data to France, for example, on the basis that there was 
inadequate protection, the directive would bring all countries up to 
a roughly similar level. So there is no basis for restricting the flow 
of data. 

I think that was the thinking behind it. I mean, in most coun- 
tries, but not all, there was data protection law beforehand. There 
was in the UK. And I think the roots of that were primarily in the 
human rights argument that there needed to be a level of protec- 
tion. We had signed up, as the UK, to the Council of Europe Con- 
vention and should have had a law, then, to implement that. 

But also, as I mentioned earlier, there was a strong lobby in the 
UK from the business community, from the Confederation of Brit- 
ish Industry, to have data protection law in the UK, firstly, to give 
some reassurance to consumers that they could trust companies 
which computerize their data — was basically the position at that 
time. But also, to bring the UK at that time into the European 
data protection, if you like, club, to enable it to participate in the 
flow of data. 

So I don’t think there was a great deal of look at, if you like, 
whether self-regulation was effective or not in terms of developing 
the law. But what we are seeking to do now is very much encour- 
age self-regulation and self-regulation to resolve, if you like, day- 
to-day consumers’ problems and individuals’ problems but with a 
backstop of the law. So if that fails, then the law is there to provide 
the final area. 

Mr. Doyle. Just one last question. To the four countries, Pro- 
fessor, that you said were in non-compliance with the directive — 
Germany, France, Ireland, and Luxembourg — are the data firms in 
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these countries being forced to enter into privacy contracts to con- 
tinue transfers with other EU members? 

Mr. Rodota. The fact that they have not implemented the direc- 
tive does not mean that they have no data protection. They have 
data protection. France and Germany have very well-established, 
since 1978, data protection laws. They have Data Protection Au- 
thority very, very prominent in France and in Germany. In Ger- 
many, they have also the Federal level. It means that they have 
data protection authorities in every land. So I think that that is not 
a problem. 

I would add a word on the problem of industry, self-regulation, 
and the framework of directive. I think that we are now assisting 
to a very interesting development inside Europe, because the codes 
of conducts are not at all considered as an expression of a specific 
sector. You know that there is an article in the directive, the Arti- 
cle 27, implementing the codes of conduct. 

This means that the interested sector can submit a draft to the 
workgroup — Article 29 working group — asking for a seal, in brack- 
ets, for a seal. And it means that this kind of codes of conduct com- 
ply with the general principles of directive. Expression of a rep- 
resentative sector of the industry are agreed, and they have not 
only a moral suasion, much moral suasion, but they can better be 
implemented also at the code level. It is very important. 

And, in Italy, we are now developing this experience of codes of 
conduct with different sectors. Media, it is working very well; the 
sector of research, historical statistics; the sector of private inves- 
tigation; banking and insurance now we are underway. 

It is very important, because we have a general set of legal es- 
tablished principles and a tool, the codes of conduct, for making 
these principles flexible. This is very important. But it means that 
you have at the national level, or the European level, one single 
body giving this kind of seal. 

And if I can express an opinion, it would be very important for 
all of the world if also United States will have an agency, a privacy 
agency, giving this opportunity to the citizens and also to the busi- 
ness community. 

Mr. Doyle. Thank you. 

Mr. Stearns. The gentleman’s time has expired. 

Mr. Buyer is recognized for 5 minutes. 

Mr. Buyer. I want to thank you, Mr. Chairman, and I want to 
thank the witnesses for coming. I want to make a few comments, 
and then I want to solicit your response to my comments and my 
question. 

I have been upon the European continent. Not only as a private 
citizen, but I have worn the uniform, and as a Member of Congress. 
One thing I enjoy are these discussions, because it always rein- 
forces what I believe was good judgment of my ancestors to leave 
the continent. 

Okay? I find myself troubled at the moment. I am troubled be- 
cause, as I watch the European Union sort of try to come together, 
which in world history is amazing. Because you mocked us at the 
creation of our country, as we were called the Grand American Ex- 
periment. Perhaps we can now look back across the ocean and sort 
of mock you back and say, “Well, let us see if it can succeed.” 



33 


And then, I find myself here in Congress, and say, “Well, I do 
agree in a quest for economic harmony?” That is what we are try- 
ing to do as each of us, as sovereign nations, seek to protect our 
own identity, and how we choose to recognize rights and govern. 
Okay? 

You, meaning the European Union, and those member countries, 
have chosen to give up something for some social compact. Am I 
now here in this country supposed to accept that your model should 
be the standard for the world? I am bothered and troubled at the 
moment. 

I find myself a few years ago having to vote on some measures 
here in Congress that were negotiated with countries around the 
world, or whether we should create the World Trade Organization 
and The General Agreement on Tariffs and Trades. It was very dif- 
ficult to get Europe to agree on certain things. So in the end, in 
order to get signatures, we created carveouts and exceptions. 

Now I find myself troubled and ask, are these carveouts and ex- 
ceptions being exploited? We recognize that nations want to pro- 
tect, certain things, whether it is cultural or other types of things. 
Like, are we are not going to let those genetically engineered orga- 
nisms come in upon our continent? My gosh, let us just prevent all 
that U.S. agriculture from coming in. So they exploit an exception. 

So I am curious as I sit here, because you are the experts now. 
What protections did the EU nations make to ensure that the data 
protection did not generate a violation of the commitments that 
your nations made to the World Trade Organization? Do you be- 
lieve that it did or did not? I am interested in the response from 
both of you. 

Mr. Rodota. I emphasized at the beginning of my statement that 
there is an important evolution in the European Union, giving an 
important protection to personal data because they are considered 
a very important part of fundamental human rights. And if we are 
living in the information society, information about individuals be- 
comes more and more important for respecting the individual 
rights. 

There is not an idea to impose a model to the world or to defend 
a cultural identity. Europe accepted the modern idea of privacy 
protection coming from the United States. That was very important 
for us. We recognized a very important improvement in the idea of 
democratic rights, privacy. We accepted this idea. And as a very 
prominent law philosopher, Ronald Dworkin, teaching in the U.S. 
said, we have taken rights seriously. 

So at this very moment, we are not trying to impose our model. 
We are trying to have a dialog on these very important issues with 
all countries, and we respect the idea and the model of U.S. Other- 
wise, the safe harbor could not be possible. 

But at the same time, we have considered privacy problems ac- 
cording to the very, very long American tradition. I am a professor 
of law. I know very well the seminal work of Warren Brandeis pub- 
lished in the Harvard Law Review in 19 — at the end of the 19th 
century, 1890, in the Harvard Law Review. 

And the idea of privacy was not directly connected with economic 
at first. We must have a balance. This is our attitude, and I think 
that we can have a fruitful dialog on these points. 
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Mr. Smith. I have nothing to add. 

Mr. Stearns. The gentleman’s time has expired. 

Ms. DeGette is recognized for 5 minutes. 

Ms. DeGette. Mr. Chairman, thank you very much. And I 
wasn’t here at the beginning of the hearing, I was on the floor, and 
so I would like to ask unanimous consent for myself and all other 
members to submit their opening statements for the record, Mr. 
Chairman. 

Mr. Stearns. Unanimous consent so granted. 

Ms. DeGette. Thank you. And I am sure that my colleagues 
thanked both of you for traveling here to testify today, but I would 
like to add my thanks. I know that the European Union has tried 
very hard to craft a policy directive that will protect consumers and 
at the same time encourage commerce. 

And I, for one, think that it is a noble effort, and I am sure that 
most of the members of this subcommittee would share my con- 
gratulations. As with the United States, it is an evolving effort be- 
cause of the evolving technologies. And I would just like to ask you 
gentlemen a couple of questions in that direction. 

First of all, for clarification, Germany, France, Ireland, and Lux- 
embourg, it is not that they are in non-compliance, in my under- 
standing, it is that they have not yet adopted the EU Data Protec- 
tion Directive. Would that be correct, Professor? 

Mr. Rodota. Yes. 

Ms. DeGette. And I would assume in those situations that 
would be because they feel that they have their own laws which 
will protect privacy. I think you talked in particular about France 
and perhaps Germany. 

Mr. Rodota. No. I think that the reasons why they have not yet 
implemented the directive are political ones 

Ms. DeGette. I see. 

Mr. Rodota. [continuing] because they changed their majority, 
and the new government in France started again with 

Ms. DeGette. Okay. 

Mr. Rodota. I think that — and Germany is now trying to have 
a more comprehensive 

Ms. DeGette. I see. 

Mr. Rodota. [continuing] law than the 

Ms. DeGette. Then the 

Mr. Rodota. [continuing] same directive. 

Ms. DeGette. Okay. 

Mr. Rodota. I think that at the end of this year they will comply 
with that. 

Ms. DeGette. They will. Now, I am sure both of you gentlemen 
are familiar with a recent study that was done by Consumers 
International. It was quoted extensively in The Wall Street Jour- 
nal. And in the article, Anna Fiedler, who is the Director of Con- 
sumers International, said that the evidence shows there is a real 
lack of enforcement by the EU privacy regulations. So that even 
though they are on the books, they are rendered useless. 

What is your opinion? Let us start with Mr. Smith, and then we 
will go to you, Professor, on that. 

Mr. Smith. Yes. Thank you. We have some — I mean, I have some 
sympathy with the article, although I think it perhaps goes a little 
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too far in saying that enforcement is useless. I mean, I have de- 
scribed I hope to the committee some of our enforcement action and 
the powers that we have and that we have used them. 

But we have never seen formal enforcement as the primary 
mechanism of achieving data protection compliance. It is rather 
through a process of education, development, and encouragement, 
and developing it into good business practice, self-regulatory re- 
quirements, that compliance is being delivered. 

Now, there is a long way to go, and the survey relates particu- 
larly to the world of electronic commerce 

Ms. DeGette. Right. 

Mr. Smith, [continuing] where there are real challenges. 

Ms. DeGette. Thank you. 

Professor? 

Mr. Rodota. Well, I think that — I know the study. I have seen 
the article in The Wall Street Journal. I am convinced that it is a 
misunderstanding. And they — this research gives a false impres- 
sion of the real situation. They say 60 percent, if I remember cor- 
rectly, of the American websites have 

Ms. DeGette. Privacy. 

Mr. Rodota. [continuing] privacy problem. 

Ms. DeGette. Right. 

Mr. Rodota. And only 32 percent of the European websites have 
a privacy problem. But, in Europe, even if there is no policy indi- 
cated by the websites, in any case that is the law. 

Ms. DeGette. Well 

Mr. Rodota. And the citizens have the opportunity to use law 
without any reference to the politics indicated by the websites. 

Ms. DeGette. Yes. But, Professor, what the study said was that 
more than 69 percent of European websites collect information by 
users, but only 32 percent point them to the privacy policy. What 
they pointed out is there is a lack of consumer confidence. 

Mr. Rodota. No. But 

Ms. DeGette. That is not correct? 

Mr. Rodota. This is — that is a problem. Frankly speaking, I 
must say that we are discussing the Article 29 group on the basis 
of a proposal of the French Data Protection Authority. The French 
Data Protection Authority make an inquiry in France for having 
the — for checking the kind of politics of privacy politics by the dif- 
ferent websites. 

And now we are discussing European level, in order to give also 
a European seal to the websites. But in any case, it does not mean 
that consumers in Europe have not enough protection. For in- 
stance, in Italy, some consumers ask our Data Protection Authority 
against some collectors of data, and we have the means to inter- 
vene. We intervened. We are the enquirer. And at the end, also we 
apply the sanction, and there is the possibility of an intervention 
of the judiciary. 

And generally speaking, we have at the European level a rec- 
ommendation of the Article 29 group saying that the invisible 
treatment, for instance through cookies, are in Europe completely 
illegal on the basis of the European directive. 

Ms. DeGette. Thank you. 

Mr. Stearns. The gentlelady’s time has expired. 
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Mr. Walden, the gentleman from Oregon, is recognized for 5 min- 
utes. 

Mr. Walden. Thank you, Mr. Chairman. 

I appreciate your testimony today and your willingness to come 
here and share your views on the privacy directive and help us un- 
derstand it better. 

I am curious, given what you are trying to do to solve the prob- 
lems within the EU countries, so you have a common threshold for 
privacy protection, when we look at those and say we have to com- 
ply in order to have commerce, in effect, what do we do when Can- 
ada or Argentina or somebody comes in with a different set of di- 
rectives? 

How is the EU going to relate to that if Canada, for example, has 
a different requirement than what you have negotiated with the 
EU? Is each country going to negotiate, then, separately with Can- 
ada or the U.S.? How does that work? Can either of you speculate 
on that? 

Mr. Smith. Yes. The European directive under UK law requires 
adequacy, not equivalence. It doesn’t have to be the same as the 
directive. 

Mr. Walden. All right. 

Mr. Smith. And, indeed, the safe harbor arrangements do differ 
from the directive. The Canadian law which is on the way to being 
approved, but has not yet been approved, is also significantly dif- 
ferent. I mean, I do take your point that, you know, where you go 
to is sort of, when you do these comparisons, around the world. But 
with that approach to adequacy rather than equivalence, it 
shouldn’t be too difficult to reach that sort of settlement. 

We would also favor — I mean, it is not for us to put it forward. 
We are only the supervisory authority. 

Mr. Walden. Right. 

Mr. Smith. Increasing development of international instruments, 
and the work which has been referred to as the OECD is particu- 
larly important in this area. And we would very much encourage 
it. I mean, that clearly would be the ideal, an international frame- 
work which we could all sign up to, which will provide the privacy 
protection effectively, and what is, you know, now a global market, 
where it is difficult to apply some of the nationally based regu- 
latory requirements. 

Mr. Walden. Because it seems to me — see if you agree with 
this — that your privacy directive, first of all, has an individual 
right of action. Somebody can sue, correct? And so one of the con- 
cerns I have, and I think shared by Mr. Buyer and others, is how 
that affects our sovereignty as a nation. 

Because, in effect, you could export an enforceable legal right to 
the United States that could be litigated here by both an American 
and a non-American in our court system, in effect a law we have 
never voted on, enacted, and yet somebody can be sued here. Cor- 
rect? I mean, that is what I am hearing is a possibility. Is that 

Mr. Smith. I am not sure that I am in a position to answer that. 

Mr. Walden. Okay. 

Mr. Smith. I think that is a question which really has to be di- 
rected to the European Commission rather than to 
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Mr. Walden. I see. But do you see where we are headed here? 
Do you share that concern? What if we have one that could be liti- 
gated in the European Union without you ever having an oppor- 
tunity to weigh in on it, if we pass a directive? 

Mr. Stearns. Just a point of information. I think the gentlemen, 
if they don’t sign the safe harbor, they can’t be prosecuted in the 
United States. But if they sign the safe harbor, and ultimately the 
model directive, yes, they can be sued. 

Mr. Walden. But the impact, though, Mr. Chairman, is if they 
don’t sign or don’t agree 

Mr. Stearns. Right. 

Mr. Walden, [continuing] they have been excluded from com- 
merce, so by de facto you either are excluded from trade or you 
agree to absorb somebody else’s laws and suffer personal right 
of 

Mr. Smith. I mean, that is certainly not how we as a supervisory 
authority would view it. I mean, those are 

Mr. Walden. Okay. 

Mr. Smith, [continuing] wide questions. But the simple approach 
that we would take is that if it is data on a UK citizen, that ought 
to be protected. And if that citizen gives the data to a business op- 
erating in the UK, that person ought to have some privacy protec- 
tion. And if that company simply exports the data, not necessarily 
to the United States, to anywhere in the world 

Mr. Walden. Sure. 

Mr. Smith, [continuing] which doesn’t have protection, that cit- 
izen is at risk, and increasingly so because of global markets and 
the internet and the way in which information can be moved 
around the world so readily. And it is simply a question of pro- 
viding protection. 

I think that does raise questions of the sort that you have raised, 
but those would not be, certainly from our point of view, at the top 
of the list. 

Mr. Walden. Right. 

Mr. Smith. They are consequences rather than intentions. 

Mr. Walden. I guess the problem — my time has expired, but I 
guess the problem I see is that, you know, okay, so we line up with 
the EU, and then, you know, China comes up with a different set, 
and then this is a pretty sticky wicket we are headed into. So I — 
I am out of time. Thank you. 

Mr. Towns. The gentleman’s time has expired. 

The gentleman from Georgia, the ranking member, Mr. Nathan 
Deal? Actually, he is the vice chairman of the subcommittee, not 
ranking member, vice chairman. 

Mr. Deal. Thank you, Mr. Chairman. 

And I would like to also express my appreciation to the panel 
members for coming and appearing here today. And even though 
I share with my colleague, Mr. Buyer, the thankfulness that my 
forefathers decided to come to this country and leave the continent, 
my forefathers from the south also went a little further and de- 
cided they didn’t like the United States either and tried to secede 
from that. 

And I must tell you gentlemen that we appreciate your — both 
your English dialect and your Italian dialect, as you speak the 
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English language. I must tell you, I hear with a southern accent, 
and I appreciate your efforts, and I will do the best to do my part 
as well. 

In the discussion we have had, it is obvious that one of the con- 
cerns that we have as a Congress, and I think as individuals, is 
this issue of sovereignty. How do we deal with a directive that has 
now been adopted by 11, as I understand, of the European Union 
nations? And how do we incorporate that into what we do legisla- 
tively? 

I think I understand the process that you have set up with the 
safe harbor and the contract approach, but I suppose the most im- 
portant question that I would have at this point is our most recent 
attempts to legislate in the area of privacy related to financial in- 
stitutions, commonly referred to — I believe we call it the Gramm- 
Leach-Bliley legislative initiative on financial institutions setting 
standards for privacy. 

And I apologize if you have answered this question before I ar- 
rived. But it is my understanding that there has been a determina- 
tion by the EU that these do not meet the standards of adequacy. 
Is that correct, or has there been any determination in that regard? 

Mr. Smith. I will explain my understanding, and Professor 
Rodota can correct me if I get it wrong. My understanding is that 
there has been no determination. That in the course of the safe 
harbor discussions the question of the Gramm-Leach-Bliley legisla- 
tion was put to one side and said we would look at that later, but 
it has not been returned to. 

I am not familiar with ah of the detail of it, so I can’t give an 
authoritative answer. But I have been asked about it by UK finan- 
cial institutions, and the view that I have expressed there is that 
it is, if you like, very good as far as it goes. It does — or it looks on 
the face of it as though it would provide adequacy in terms of no- 
tice and possibly choice, and it deals with security aspects. 

But there are other issues that arise out of the European direc- 
tive in the UK law to do with information being accurate, up to 
date, not kept for longer than is necessary, which I am not sure — 
and I only say I am not sure — I am not sure that the legislation 
necessarily addresses. 

And, in fact, in terms of international transfers, the area it ad- 
dresses most comprehensively, the notice and choice, is not nec- 
essarily a very big issue for — as in Europe, because essentially we 
are talking about data that have been collected already in Europe. 
So the notice and choice provisions are already there under Euro- 
pean and UK law. 

So those are only views off the top of my head from what I have 
looked at. It is not that there is anything wrong with what is there. 
It is not that it doesn’t necessarily go as far as it should. 

And I think, you know, concerns have been expressed about try- 
ing to export European requirements. I mean, the safe harbor ar- 
rangements are viewed as adequate. They are a U.S. approach. 
They are based on your self-regulatory arrangements. They are not 
the same as the European approach, but they have been viewed as 
adequate. 

And although we are not trying to convince you to our approach, 
it is not our job to do that, it is simply to provide some information. 



39 


Some things it is hard to see in any, if you like, data protection 
or privacy system, how you can get away from some of the basics 
which I would hope we would all agree on, that information must 
be kept secure, people should be given notice, they should be given 
choice. 

We might disagree about quite what that choice is and whether 
it is opt-in or opt-out. but for a very large amount of what we 
talked about, we must surely be agreed on what the basic prin- 
ciples are. 

Mr. Deal. Just very quickly before my time expires. In our dia- 
logs and as go forward with consideration of privacy legislation in 
this country, we are concerned, as Mr. Walden has indicated, with 
the countervailing part, with the rights. We are trying to define 
rights of privacy, but we recognize that with every right there also 
must be a remedy. 

And our concern with the litigation portion of it is we are a more 
litigious society than perhaps your continent is, and we are con- 
cerned about that and have to be concerned about it. So when we 
express those opinions, it is because of our own history with regard 
to when we define rights, and we provide remedies. Sometimes the 
remedies define the rights. 

Mr. Smith. Yes, we recognize that. 

Mr. Stearns. I thank my colleague. His time has expired. 

We have finished with the first panel. Professor Rodota, we 
thank you very much for participating, and Mr. Smith. We are de- 
lighted that the two of you took the time, and we hope you will 
stay around and listen to panel No. 2. 

And with that, we are going to proceed forward here for another 
15 to 20 minutes, and then we are going to break for lunch. 

Yes? 

Mr. Markey. Can I ask one question? 

Mr. Stearns. Oh, absolutely. Okay. Mr. Markey is recognized for 
5 minutes. 

Mr. Markey. Thank you, Mr. Chairman, very much. 

Professor Rodota, Mr. Smith, I note that under the safe harbor 
the EU has negotiated with the U.S. financial data regulated under 
the Gramm-Leach-Bliley Act does not qualify for the safe harbor. 
I believe this was a wise decision on your part, since the privacy 
provisions of that Act are a pathetic joke. 

For example, under the Act, a consumer’s consent does not have 
to be obtained in order to transfer data between separate affiliates. 
All of these secrets that you have as they all — as they merge — in- 
surance and brokerage and banking, as they all merge, you don’t 
have any privacy. 

You can’t protect the secrets of your health care, of your family, 
from being transferred, between separate affiliates in the holding 
company or with a non-affiliated third party who have entered into 
a joint marketing agreement with a financial institution. 

In addition, consumers have no access and correction rights. 
Since the charter of fundamental rights of the European Union spe- 
cifically calls for consent and access and correction rights, will the 
EU continue to resist including this totally inadequate Gramm- 
Leach-Bliley Act within the safe harbor? 
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Mr. Rodota. You know why the financial institutions are not 
qualified. Because if you look at the memorandum related to the 
safe harbor enforcement overview, there is a problem because FTC 
has no jurisdiction for this area. And the U.S. Government has no- 
tified only two bodies for the enforcement — FTC and Department 
of Commerce. 

So you can see that there is a problem for this kind of 

Mr. Markey. Is it going to continue to be a problem for you? 

Mr. Rodota. No. We may have now the possibility to use stand- 
ard contractual clauses. I think that that — now they have this op- 
portunity. 

Mr. Markey. So you have an opportunity to lower the privacy 
standards in Europe? 

Mr. Rodota. Too low now. 

Mr. Markey. No. 

Mr. Rodota. No, no. 

Mr. Markey. You won’t lower them. 

Mr. Rodota. No, no, no. 

Mr. Markey. Oh, good. That is what 

Mr. Rodota. That is myself 

Mr. Markey. Thank you. I see, yes. 

Mr. Rodota. [continuing] negotiating, but the Ambassador I 
don’t know, but I am 

Mr. Markey. Okay. 

Mr. Rodota. [continuing] on this point. 

Mr. Markey. Now, Professor Rodota or Mr. Smith, are you aware 
that last year the Clinton Administration submitted draft legisla- 
tion which Representatives the LaFalce and Dingell and I intro- 
duced to close these loopholes in the Gramm-Leach-Bliley Act. 

Unfortunately, the Republican majority did not take up our bill. 
We are hopeful that the Bush Administration will take a far more 
favorable view. Has the EU asked the administration whether it in- 
tends to close the loopholes in the Gramm-Leach-Bliley Act, which 
make it inconsistent with the EU privacy directive? 

Mr. Smith. I mean, I can’t really add to the answer I gave, I am 
sorry. I was asked about this by one of your colleagues before 
you 

Mr. Markey. You can just answer yes or no then. Have you 
asked them to adopt 

Mr. Smith. No. As far as I know, and I cannot speak on behalf 
of the European Commission, there has been no request and there 
has been no decision in relation to the Gramm-Leach-Bliley legisla- 
tion. It was put to one side during the safe harbor arrangements 
and has not been returned to. 

And the answer I gave before, I suggested some reasons why 
there could be difficulties in considering that legislation adequate. 
And you have — and the question added to that explanation. 

Mr. Markey. I just wanted you to know, because my time is 
going to expire, that many people in our country say, “Oh, we are 
not like the Europeans. They like a lot more privacy than we like 
here in the United States.” But when they poll in the United 
States, 85 percent of Americans want the same privacy that you 
give to your citizens. 
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And I think the reason is is that most of our grandparents came 
from your countries, and you can’t wash your family values out in 
a generation in the United States. And so the polling is identical, 
and the only way in which we don’t adopt your standards is that 
the Republicans won’t allow us to have a clean vote on the floor 
of the House of Representatives. 

Because if we did, everyone would be forced to vote for it, be- 
cause 85 percent of the American people want it. So you should 
just understand that the whole process is aimed toward not allow- 
ing any votes on the floor of the Congress, because there would be 
an overwhelmingly favorable vote to do exactly what you have done 
because we feel exactly like those from Ireland and Germany and 
France and Italy, etcetera, etcetera, feel about the very same 
health and financial services and other information issues. 

But there is a large corporate sector here that for some reason 
or another doesn’t want to have a fair vote out on the House floor, 
and that is why they are sitting out there behind you. 

Okay. Just so you understand that. 

So keep up the good work. Okay? 

Thank you, Mr. Chairman. 

Mr. Stearns. The gentleman has 2 seconds left. 

We thank the gentleman for arriving in time, and we appreciate 
his questions. We assure him that we are going to try to develop 
a bipartisan bill. With his help, we will be able to do that. 

Well, we have just finished, as I said earlier, the first panel, and 
we have a vote in place. And we understand it is going to be suc- 
cessive votes between 12 and 1. And so we are going to motion to 
adjourn, and I think until 1. I think that is what I hear from the 
House, that we are going to have continuing votes here up until 1. 
So I appreciate that, to panel No. 2, have a nice lunch, and we will 
see everybody back here at 1. 

[Brief recess.] 

Mr. Stearns. The Subcommittee on Commerce, Trade, and Con- 
sumer Protection will reconvene, and I thank panel two for waiting. 
We had a number of votes, and we are going to continue on. We 
know all of you have planes to catch. 

So, panel two, we have Ambassador David Aaron, former Under- 
secretary of Commerce for International Trade, U.S. Department of 
Commerce; Mr. Jonathan Winer, former Deputy Assistant Sec- 
retary for International Law Enforcement, U.S. State Department; 
Professor Joel Reidenberg, Professor of Law at Fordham University 
School of Law; Mr. Denis Henry, Vice President, Regulatory Law, 
Bell Canada; and Ms. Barbara Lawler, Customer Privacy Manager 
at Hewlett Packard. 

Thank you very much, sincerely, for waiting for us. We are very 
pleased to have your opening testimony, and we will just start 
maybe just from the left and go to the right here, my left. 

So we would start, then, with Ambassador Aaron. 
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STATEMENTS OF DAVID L. AARON, SENIOR INTERNATIONAL 

ADVISOR, DORSEY & WHITNEY LLP; JONATHAN M. WINER, 

COUNSEL, ALSTON AND BYRD LLP; JOEL R. REIDENBERG, 

PROFESSOR OF LAW, FORDHAM UNIVERSITY SCHOOL OF 

LAW; DENIS E. HENRY, VICE PRESIDENT, REGULATORY LAW, 

BELL CANADA; AND BARBARA LAWLER, CUSTOMER PRIVACY 

MANAGER, HEWLETT PACKARD 

Mr. Aaron. Thank you very much, Mr. Chairman. Let me thank 
you and the committee for inviting me to testify on the European 
Union’s Personal Data Protection Directive and its implications for 
U.S. privacy law. 

It is important to recognize that while we and the Europeans 
share many basic values, the EU directive comes from a different 
legal tradition and historical experience, including the police states 
and the holocaust of the last century. The EU directive attempts 
to set up a comprehensive personal data protection regime that 
tries to anticipate every problem and answer every question. It is 
enforced by a system of independent data privacy commissioners in 
each of the member states. 

While its goals may be laudable, there are a number of funda- 
mental problems with the European directive. First, it was con- 
ceived over a dozen years ago when there was no World Wide Web 
and information technology was dominated by mainframe com- 
puters, not distributed information networks, laptops, and digital 
assistants. As a result, the directive is often rigid or silent in deal- 
ing with privacy issues growing out of new technology and new 
business models. Many European states have had great difficulty 
translating it into national law. 

Second, one can read the European Personal Data Protection Di- 
rective from end to end and not find the word “privacy.” Although 
the Commission — the statement on human rights talks about re- 
specting private and family life, the personal data protection is an 
obligation of the states toward its citizens. In America, we believe 
that privacy is a right that inheres in the individual. 

We can trade our privacy — our private information for some ben- 
efit if we choose. In many instances, the Europeans cannot. This 
can have an important implication when it comes to electronic com- 
merce. But the most troubling aspect of the directive for the United 
States is the requirement that personal data only be transmitted 
from Europe to countries that have “adequate” privacy regimes. In 
effect, the directive would embargo European personal data to any 
country whose privacy policies, including the United States, the EU 
had not approved. 

Imagine, no transatlantic bank connections, no transatlantic bro- 
kerage, no credit card purchases, airline or hotel reservations, no 
internet or catalog sales, no ability of U.S. firms to manage their 
operations in Europe, and vice versa. Fortunately, the European 
Commission recognized that this could hurt Europe as much as it 
would the United States. 

This was the background for the safe harbor negotiations which 
lasted more than 2 years. Let me briefly describe how the safe har- 
bor emerged and what it is and what it is not. 

The first thing we established was that the United States was 
not going to negotiate a treaty or an executive agreement that 
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would apply the EU directive in the United States. What we were 
prepared to do was issue guidance to the American business com- 
munity on how to conduct commercial relations with Europe. 

This comes under the existing authority of the Commerce De- 
partment. In the past, we have provided such guidance to help pro- 
tect U.S. firms doing business in places like the Soviet Union, 
China, and elsewhere. 

The second thing we made clear is that we were not going to ac- 
cept the jurisdiction of European law in the United States. Indeed, 
we agreed that the safe harbor would be silent on the issue of juris- 
diction. We were prepared to have voluntary self-regulation within 
the framework of existing U.S. law. We were not going to pass new 
legislation. 

Third, the Europeans had to recognize that we were trying to 
adapt the directive to the most advanced information economy on 
earth. Accordingly, the actual provisions of the safe harbor had to 
be more flexible and address real-world information practices on a 
reasonable basis. Fortunately, we had the precedent of the privacy 
principles that we and the Europeans had agreed upon in the 
OECD many years ago, and this became a touchstone of the discus- 
sions. 

The European Commission accepted these points but had a bot- 
tom line of their own. They insisted on what they considered a high 
level of privacy protections for European personal data as provided 
by their directive. It was their information. They had the right to 
control its dissemination from their point of view. 

The result was the safe harbor accord of last year. The Com- 
merce Department promulgated a set of privacy principles for han- 
dling European data in the United States. The EU Commission, 
over the reluctance of many European data protection authorities, 
and the outright opposition of the European Parliament, held that 
the safe harbor principles provided adequate privacy protections. 
Companies that signed up to the safe harbor could receive personal 
data from Europe without hindrance. 

I won’t take the committee’s time to review the safe harbor prin- 
ciples, but I would like to comment on what aspects of the directive 
or the safe harbor might be instructive in developing U.S. privacy 
laws. In doing so, I am drawing on my most recent experience at 
Dorsey and Whitney where we provide privacy advice to a wide va- 
riety of clients as well as my negotiations with the European 
Union. 

First, there is the concept of national privacy standards. The EU 
developed its directive as part of the effort to create a single mar- 
ket; that is, in order to avoid the complex and burden of having 15 
different national privacy laws. I believe that we face a similar risk 
in the United States, only instead of 15 national laws we could 
have 50 State laws. 

But I have one important caveat. Any Federal privacy legislation 
preempting State law would have to provide high standards. We 
need the highest common denominator, not the lowest. If the Fed- 
eral rule is a minimum standard, for example, that companies 
merely must have a privacy policy and tell their customers what 
it is, I think it would be difficult to justify preempting the states. 
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My second observation draws upon the safe harbor. The essence 
of that deal was that we accepted high standards and they accept- 
ed self-regulation. Any Federal standard should rely, to the extent 
possible, on self-regulation. That, in my experience, is the best way 
to avoid high standards from becoming a straitjacket that could 
smother the information economy. 

Thank you very much, Mr. Chairman. 

[The prepared statement of David L. Aaron follows:] 

Prepared Statement of David L. Aaron, Senior International Advisor, 
Dorsey & Whitney LLP 

Mr. Chairman, let me thank you and the Committee for inviting me to testify on 
the European Union Personal Data Protection Directive and its implications for US 
privacy law. 

It is important to recognize that while we and the Europeans share many basic 
values, the EU Directive comes from a different legal tradition and historical experi- 
ence — including the police states and holocaust of the last century. The EU Direc- 
tive attempts to set up a comprehensive personal data protection regime that tries 
to anticipate every problem and answer every question. It is enforced by a system 
of independent Data Privacy Commissioners in each of the member states. 

While its goals may be laudable, there are a number of fundamental problems 
with the European Directive. First, it was conceived over a dozen years ago when 
there was no World Wide Web and information technology was dominated by main- 
frame computers not distributed information networks, laptops, and digital assist- 
ants. As a result, the Directive is often rigid or silent in dealing with privacy issues 
growing out of new technology and business models. Many European States have 
had great difficulty translating it into domestic law. 

Second, one can read the European Personal Data Protection Directive from end 
to end and not find the word “privacy”. Personal data protection is an obligation of 
the State toward its citizens. In America we believe that privacy is a right that in- 
heres in the individual. We can trade our private information for some benefit. In 
many instances Europeans cannot. This can have important implications when it 
comes to e-commerce. 

But the most troubling aspect of the Directive for the United States is the require- 
ment that personal data only be transmitted from Europe to countries that have 
“adequate’s privacy regimes. In effect, the Directive would embargo European per- 
sonal data to any country who’s privacy policies the EU had not approved. 

Imagine. No transatlantic bank transactions, credit card purchases, airline and 
hotel reservations, no internet or catalogue sales, no ability of US firms to manage 
personnel in their European operations, and visa versa. Fortunately, the European 
Commission recognized that this could hurt Europe as much as the United States. 

This was the background for the Safe Harbor negotiations that lasted more than 
two years. Let me briefly describe how the Safe Harbor Accord emerged and what 
it is and is not. 

The first thing we established was that the United States was not going to nego- 
tiate a Treaty or an Executive Agreement that would apply the EU Directive in the 
U.S. What we were prepared to do was issue guidance to the American business 
community on how to conduct commercial relations with other countries. This comes 
under the existing authority of the Department of Commerce. In the past we have 
provided such guidance to help protect US firms doing business in places like the 
Soviet Union, China and elsewhere. 

The second thing we made clear is that we were not going to accept the jurisdic- 
tion of European law in the United States. Indeed we agreed that the Safe Harbor 
would be silent on jurisdiction. We were prepared to have voluntary, self regulation 
within the framework of existing US law. We were not going to pass new legislation. 

Third, the Europeans had to recognize that were trying to adopt the Directive to 
the most advanced information economy on earth. Accordingly the actual provisions 
of the Safe Harbor had to be more flexible and address real world information prac- 
tices on a reasonable basis. Fortunately, we had the precedent of privacy principles 
that we and the Europeans had agreed upon in the OECD many years ago. This 
became a touchstone of the discussions. 

The European Commission accepted these points but had a bottom line of their 
own. They insisted on what they considered a high level of privacy protections for 
European personal data as provided by their Directive. It was their information; 
they had the right to control its dissemination.The result was the Safe Harbor ac- 
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cord of last year. The Commerce Department promulgated a set of privacy principles 
for handling European Data sent to the U.S. The principles cover notice, choice, 
transfers to third parties, access, security, data integrity and enforcement. These 
are accompanied by 15 frequently asked questions that spell out some of the points 
in detail. 

The EU Commission, over the reluctance of many European Data Protection Au- 
thorities and the opposition of the European Parliament, held that the Safe Harbor 
principles provided “adequate’s privacy protections. Companies that signed up to the 
Safe Harbor could receive personal data from Europe without hindrance. 

Alternatively, US companies can negotiate contracts with European data sup- 
pliers that would follow the Safe Harbor principles but also contain other provisions 
called for by individual Data Protection Authorities who have to bless the contracts. 
One US multinational company told me that if they took that route, they would 
have to negotiate over thousands such contracts. 

I won’t take the Committee’s time to review the Safe Harbor principles, but I 
would like to comment on what aspects of the Directive or the Safe Harbor might 
be instructive in developing US privacy laws. 

First, the Directive falls short of US privacy expectations in some respects. For 
example, it provides no special safeguards for protecting children on-line as COPPA 
does. It also does not protect credit information the same way. As a result, experts 
have calculated that Europeans pay at least 500 basis point more for consumer cred- 
it. 

It also goes much further than many Americans might consider reasonable. For 
example, if a person orders a kosher meal on a flight, the airline cannot store this 
information for future reference unless the individual explicitly agrees. Why is this 
considered sensitive information? Because it might reveal the passengers religion or 
ethnicity. 

With these cautionary examples in mind let me suggest how some aspects of the 
Directive and Safe Harbor could prove useful to any legislative effort. In doing so, 
I am also drawing on my most recent experience at Dorsey & Whitney where we 
provide privacy advice to a wide variety of clients. 

First there is the concept of national privacy standards. The EU developed its Di- 
rective as part of the effort to create a single market — that is in order to avoid the 
conflicts and burden of having 15 different national privacy laws. I believe that we 
face a similar risk in the United States, only instead of 15 national laws we could 
have 50 state laws. But I have one important caveat: any Federal privacy legislation 
preempting state law would have to provide high standards. We need the highest 
common denominator not the lowest. If the Federal rule is a minimum standard — 
for example that companies merely must have a privacy policy and tell their cus- 
tomer what it is — I think it would be difficult to justify preempting the States. 

My second observation draws upon the Safe Harbor. The essence of that deal was 
that we accepted high standards and they accepted self regulation. Any Federal 
standard should rely to the extent possible on self-regulation. That, in my experi- 
ence, is the best way to avoid high standards from becoming a straight-jacket that 
could smother the information economy. 

Is Federal privacy legislation timely? In my experience, the answer is clearly yes. 

Trust is a continuing issue in e-commerce. Experts estimated last year that the 
lack of consumer trust cost e-businesses $16 billion in lost sales. More and more 
companies are seeing the competitive value of providing good privacy practices for 
their customers. The States are already riding off in different directions on privacy. 
If high standards can be adopted at the Federal level this will provide American 
companies with a predictable framework to conduct their business. Even more im- 
portant, it can provide the American people with greater confidence that their rights 
will be protected both on-line and off-line to the benefit not only to our economy but 
to our democracy. 

Thank you Mr. Chairman. 

Mr. Stearns. Mr. Winer? 

STATEMENT OF JONATHAN M. WINER 

Mr. Winer. Thank you, Mr. Chairman. Thank you for the oppor- 
tunity to testify here today. 

I wish to make 10 points about the EU privacy directive. First, 
it has extraterritorial impact. With the privacy directive, the EU is 
regulating cyber space and much offline activity as well. E-com- 
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merce is, by its nature, global. Thus, national laws regulating it 
tend also to quickly become global. 

Following the EU’s lead, other countries are adopting privacy 
laws, some of which, including Canada’s, have substantial potential 
extraterritorial impact. These new laws are global but inconsistent. 
As we are finding out in the United States, there are many dif- 
ferent ideas about how best to regulate privacy. Internationally, we 
are now facing a maze of conflicting provisions 

Mr. Stearns. Mr. Winer, could you bring the microphone just a 
little closer for yourself? 

Mr. Winer. Yes, sir. 

Mr. Stearns. Okay. Good. 

Mr. Winer. I didn’t want to be too loud. Let us try it again. 

Internationally, we are now facing a maze of conflicting provi- 
sions that create a complex, perilous, and potentially non-navigable 
environment for the many firms that process personal data which 
crosses borders. Many of the new foreign privacy laws differ from 
existing U.S. law, yet because of the transborder nature of many 
global information flows these laws may, in practice, regulate sub- 
stantial amounts of data processing within the United States. 

If the U.S. is not vigilant, such laws potentially place at risk U.S. 
competitiveness, U.S. trade, and fundamental U.S. values, includ- 
ing rights protected under the First Amendment as you heard last 
week. 

Second, the privacy directive terms, to the rest of the world, are 
tantamount to extortion. The EU is requiring that all other coun- 
tries adopt the EU’s privacy laws or risk having data flows to them 
cutoff by all of the EU’s member states. As it has been said, the 
EU judges which countries in the world have adequate privacy 
laws. The EU says you don’t. EU member states are required by 
the privacy directive to shut off data flows to that country. 

Transatlantic trade and information includes billions of bytes of 
data each day, and hundreds of billions of dollars in commercial ac- 
tivity a year. The sanction of cutting off such flows is one that can- 
not be easily activated without threatening fundamental damage to 
the global economy. The EU has stated it won’t implement sanc- 
tions if it can find any other way to enforce the privacy directive. 

The EU has agreed to a stand-still in enforcement against U.S. 
firms through at least July 2001. At some point, however, that 
stand-still will end, and we could have a serious problem. 

Third, the safe harbor, unfortunately, is inadequate. Undersecre- 
tary of Commerce Aaron negotiated it to secure recognition by the 
EU that the U.S. system for protecting privacy was adequate, but 
he was not able to convince the EU to accept that U.S. Federal 
laws governing privacy in the financial services sector are ade- 
quate. 

The EU agreed to accept the U.S. system only to the extent that 
the Federal Trade Commission — and, for a small number of compa- 
nies, the Department of Transportation — could sue U.S. companies 
who violate an agreement to live up to principles based upon the 
requirements of the directive. 

This was a very unfortunate outcome. Unlike the EU’s lax en- 
forcement of its privacy directive, the U.S. systematically enforces 
its privacy laws. The U.S. also has a high level of self-regulation. 
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U.S. regulators have issued detailed regulations governing privacy 
in the financial services sector, and they examined financial insti- 
tutions for compliance with U.S. privacy laws. 

According to a recent study sponsored by some 200 consumer 
groups, the U.S. system already protects online privacy better than 
the EU system. The EU should deem the whole U.S. system ade- 
quate and end the threat of cutting off data flows to the United 
States. 

Fourth, the safe harbor is unpopular. The safe harbor has at- 
tracted very few takers so far. Only 26 companies have entered as 
of this week, one of which is here with us today. The tiny number 
of companies signing up for safe harbor means the vast preponder- 
ance of all U.S. companies remains subject to being treated by the 
EU as inadequately protecting privacy. 

Fifth, as was said this morning, the privacy directive threatens 
national sovereignty. The EU is insisting that it be treated as the 
de facto global standard for privacy. After July 1st, or whenever 
the enforcement stand-still ends, all EU member states are sup- 
posed to shut down data flows to any company located in any juris- 
diction deemed to have inadequate privacy protection. 

That is true unless the company subjects itself to EU jurisdic- 
tion, EU rules, EU regulations, EU standards, EU courts, and li- 
ability to every individual whose information passes to the non-EU 
company from the territory, physical or electronic, of the EU. 

In early 1996, following the shoot-down of an unarmed civilian 
planes and the murder of U.S. citizens by Cuban MiGs, Congress 
passed and the President signed the Litertad Act, known by the 
name of its primary sponsors as Helms-Burton. The Act sought to 
protect the property rights of thousands of American citizens whose 
property was confiscated without compensation by the Castro re- 
gime, by imposing sanctions on those who profited off that stolen 
property. 

After the U.S. enacted Helms-Burton, the EU issued the fol- 
lowing statement. “The European Union is opposed to the use of 
extraterritorial legislation, both on legal and policy grounds. In the 
last few years there has been a surge of U.S. extraterritorial sanc- 
tions legislation. Such laws represent an unwarranted interference 
by the U.S. with the sovereign rights of the EU to legislate over 
its own citizens and companies, and are, in the opinion of the EU, 
contrary to international law.” 

In a wired world, literally millions of communications containing 
personal information go back and forth between the U.S. and the 
EU every day. A standard that insists that these and other cross- 
border information flows adhere to an EU privacy regime is in the 
regime that imposes EU law on the entire world. 

And last week I participated in a telephone conversation with an 
EU official who said, specifically, “Yes. The rules we are applying 
are going to have global application. You bet.” 

The privacy directive may fairly be termed the EU’s Helms-Bur- 
ton Act. It seeks to protect a class of property rights by demanding 
extraterritorial enforcement of those asserted property rights 

Mr. Stearns. Mr. Winer, we just need you to wrap up. 

Mr. Winer. Yes, sir. 

Mr. Stearns. Under the 5-minute rule. 
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Mr. Winer. My company is based all over the world. 

Sixth, the privacy directive is burdensome. My testimony goes 
into that. 

Seventh, it is not a good way of protecting privacy. The principles 
may look good, but in practice many of them are not workable. 

Eighth, do as I say not as I do. The EU is not systematically en- 
forcing it. There is massive non-compliance in the EU. 

Ninth, like the privacy directive, the model contracts potentially 
threaten U.S. competitiveness. They would create causes of action 
for data subjects who would be third-party beneficiaries of those 
contracts. 

And, tenth, we have the power to protect ourselves from this for- 
eign threat to U.S interest and U.S. economic security. There are 
a number of options the Congress has in front of it that could help 
protect us, and I urge you to consider them. 

I am happy to respond to any of your questions. Thank you, sir. 

[The prepared statement of Jonathan M. Winer follows:] 

Prepared Statement of Jonathan M. Winer, Alston & Bird LLP 

Mr. Chairman and distinguished members of this Committee: My name is Jona- 
than Winer. I am an attorney practicing law with the firm of Alston & Bird LLP 
in Washington, D.C. Previously, I served from 1994 through 1999 as Deputy Assist- 
ant United States Secretary of State for International Enforcement matters, where 
my responsibilities included undertaking negotiations and discussions with the Eu- 
ropean Union, and its executive implementing body, the European Commission, on 
a range of Trans-Atlantic matters. Prior to that, 1 served in the Senate for many 
years as counsel to U.S. Senator John Kerry (D-Mass.), during which time I worked 
on international, banking, and legal matters before the Foreign Relations, Banking, 
Commerce, and Judiciary Committees. Currently, I spend much of my time writing, 
lecturing, and counseling U.S. companies about privacy issues, including the EU 
Privacy Directive that is the subject of this hearing. 

Privacy is a fascinating and rapidly growing area of the law, and the issue is an 
exceptionally complex one. I commend this Committee for recognizing its importance 
and for initiating this set of hearings, and am grateful for the opportunity to testify 
before you. 


1. THE EU IS writing rules regulating cyberspace. 

If there is anything that is growing at an even more exponential rate than e-com- 
merce, it is laws that purport to govern e-commerce, and in particular, laws gov- 
erning privacy. Since e-commerce is by its very nature global, national laws regu- 
lating it tend also to quickly (and sometimes unintentionally) become global, raising 
from the beginning the question of whose law will wind up writing the rules by 
which e-commerce and the World Wide Web operate. While some may want cyber- 
space to remain a lawyer-free zone, an ever-thickening web of laws is already pur- 
porting to determine what activities are permitted, and what activities are prohib- 
ited on-line. The vast preponderance of these laws are arising in the European 
Union, and the most important of them to date is the EU’s Directive on Data Protec- 
tion, known as the “Privacy Directive.” 1 Significantly, while many of these laws 
have been stimulated by consumer and business issues highlighted by new tech- 
nologies, they would often regulate a far broader swath of activity. In the case of 
the EU privacy directive, the regulated “industry” would extend to everyone who 
does business by communicating information about people. Under the Directive, gov- 


1 “Data Protection Directive, 95/46/EC.” Other EU laws that purport to regulate various as- 
pects of cyberspace and the world-wide net include, but are not limited to, the EU Directive on 
E-Commerce (2000), which mandates particular labeling requirements, the Brussels Regulation, 
which governs consumer rights to sue in their own jurisdiction regardless of contractual terms 
to the contrary, laws on Access to Justice, Comparative and Misleading Advertising, Consumer 
Credit and Education, Dangerous Imitations, Long Distance Selling, Information Society, Pack- 
age Travel, Product Liability, Product Safety, Time Sharing, and Unfair Contract Terms. As a 
senior European Commission official stated to the author recently, “if it moves, we regulate it.” 
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ernment would regulate and determine what is permitted and what is prohibited 
communications about all personal data, at least in a commercial context. 

Since the passage in 1995 of the Privacy Directive, which became effective in 
1998, there has been an explosion of new national privacy laws governing the off- 
line, as well as the on-line uses of personal data. Within the past twelve months 
alone, we have seen new data protection laws emerge in Argentina, Australia, Can- 
ada, Chile, and Paraguay, following earlier privacy laws in Hong Kong, Hungary, 
New Zealand, and Switzerland, in addition to the 15 member states of the European 
Union. Each of these laws is well-intentioned, and addresses what for many is be- 
coming the assertion of a fundamental right — the right of private citizens to own 
their own personal information. Many of these laws have extra-territorial impact, 
and some, such as the Privacy Directive, are literally global in their application. Of 
particular interest is Canada’s law, which requires all exporters of Canadian per- 
sonal data to insure that U.S. companies importing the data agree to apply Can- 
ada’s laws to the data so long as they retain it, thereby exporting Canada’s laws 
to the U.S. in an almost EU-like fashion. Canada’s privacy law could have a pro- 
found impact on North American data flows, and on NAFTA, but being only in effect 
for some two months, its impact remains difficult to measure. 2 

Unfortunately, the laws are not just global, but inconsistent. Like the state legis- 
latures in the U.S., each nation that has looked at privacy has come up with its 
own constructions for how to protect it. Accordingly, national privacy laws differ 
from one another on matters of definition, scope, terminology, and application, cre- 
ating a maze of often conflicting provisions and a potential compliance nightmare 
for not just for e-commerce, but for any company doing business across borders with 
individual consumers. 

For the United States, the new web of privacy requirements creates some very 
serious potential problems for our economy and our legal system. Many of the new 
national privacy laws coming into effect outside the U.S. differ from existing U.S. 
law, and yet will have the impact of regulating substantial amounts of data proc- 
essing within the United States. Indeed, in some cases, including the Privacy Direc- 
tive, the results of the foreign laws will in practice be to create new enforceable 
legal rights that can be litigated within U.S. courts by Americans and non-Ameri- 
cans alike, regardless of whether Congress, the Executive Branch, or the states have 
decided that this is a good idea. 

The result, for the U.S., is the renewed reminder that foreign countries can enact 
laws with extra-territorial application. If the U.S. is not vigilant, such laws poten- 
tially place at risk U.S. competitiveness, U.S. trade, and fundamental U.S. values, 
including protected rights under the First Amendment. Each of these areas will be 
put at great risk by the Privacy Directive in the months ahead, as the EU body re- 
sponsible for securing its enforcement by the 15 EU Member States, the European 
Commission, works to insure that its provisions are adhered to by every nation in 
the world. 

2. UNDER THE PRIVACY DIRECTIVE, THE EU DECIDES WHETHER EACH COUNTRY IN THE 
WORLD’S PRIVACY LAWS ARE “ADEQUATE” OR “INADEQUATE.” 

Under the Privacy Directive, the EU has decided that privacy is such a funda- 
mental human right that it will permit no one to export personal data from the EU 
under circumstances that differ substantially from the privacy rules the EU has 
adopted for itself. Jurisdictions deemed by the EU to have “inadequate” protection 
of personal data are supposed to be cut off from all the EU’s personal data. As 
Trans-Atlantic trade in information amounts to billions of bytes of information a 
day, and hundreds of billions of dollars of commercial activity a year, the sanction 
is one that cannot be easily activated without threatening fundamental damage to 
the global economy. The EU has recognized this, and has stated that it has no in- 
tention of shutting down data flows if it can find any other reasonable solution that 
adequately protects personal data. A fair amount of forbearance has already been 
shown by the EU in this regard: although its own 15 member states have been re- 
quired to be in compliance with the Directive since October, 1998, and several have 
been taken to court for non-compliance by the European Commission, no country 
has actually been sanctioned for non-compliance with the Directive to date. Regard- 


2 Canada’s law has only been in effect since January 1, 2001, and currently only applies to 
transborder movements of data that is sold in the commercial context, and not mere processing 
of personal data. The latter is to be fully covered under Canadian law by January 1, 2004. Inter- 
estingly, despite the breadth of Canadian law, the EU has yet to find it to be fully “adequate” 
under the EU Data Protection standard. To date, only the privacy laws of Hungary and Switzer- 
land, which mirror the EU’s, and other states in the EU’s economic area have been deemed ade- 
quate by the EU. 



50 


ing the U.S., the European Commission has agreed to an semi-official stand-still on 
enforcement against U.S. firms through at least July 1, 2001. 

3. THE US-EU PRIVACY SAFE HARBOR: A HOPED-FOR ALTERNATIVE TO A PRIVACY TRADE 

WAR. 

Neither the U.S. nor the EU sought a trade war over privacy. During the Clinton 
Administration, the U.S., led by Under Secretary of Commerce David Aaron, nego- 
tiated in good faith with the EU seeking its recognition that the U.S. system for 
protecting privacy was adequate. Ultimately, the EU agreed to accept the U.S. sys- 
tem as adequate to the extent that the Federal Trade Commission (“FTC”) could sue 
U.S. companies that agreed live up to a series of principles based upon the Privacy 
Directive’s requirements, and then failed to do so. Such companies could sign up to 
the EU’s privacy standards, and thereby receive a “Safe Harbor” from the sanctions 
imposed by the EU on firms based in jurisdictions deemed by the EU to have inad- 
equate protection. 

Notably, however, Ambassador Aaron was not able to convince the EU to accept 
that U.S. federal laws governing financial services, including the Fair Credit Report- 
ing Act and the Financial Services Modernization Act of 1999 (“Gramm-Leach-Bli- 
ley,” or “GLB”), adequately protect privacy, despite clear evidence that these laws 
are being systematically enforced by U.S. regulators, evidence lacking to date in 
many cases in the enforcement of EU Member States of the Privacy Directive. Be- 
cause the EU hasn’t found these laws adequate, companies regulated by those laws 
cannot rely on them for protection against sanctions by EU member states, even if 
they are in complete compliance with U.S. federal privacy laws. 

As a result, the Safe Harbor negotiated by Under Secretary Aaron wound up ex- 
cluding some of the most important sectors of the U.S. economy, including tele- 
communications as well as financial services and dramatically limiting its imme- 
diate utility. 

4. SUPPOSE THEY GAVE A SAFE HARBOR, AND NO ONE CAME? 

Notably, in the more than four months since U.S. companies have been able to 
sign up for Safe Harbor only 26 have chosen to do so as of March 5, 2001. A small 
number of these are major business-to-business companies, such as Dun & Brad- 
street and Hewlett Packard, who have comparatively limited needs for processing 
personal information by comparison to the many companies whose business are cen- 
tered on business-to-consumer transactions. Others are self-regulatory organizations 
such as TRUSTe, the Entertainment Software Rating Board, and the UserTrust 
Network, for which privacy is the line of business, rather than a requirement of 
business. The tiny number of companies signing up for the Safe Harbor indicates 
that the vast preponderance of all U.S. companies remain subject to being treated 
by the EU as having inadequate protection of privacy. 

5. THE PRIVACY DIRECTIVE: THE EU’S HELMS-BURTON? 

Under the Privacy Directive, the consequences for having inadequate protection 
of personal data are simple. Once the current standstill on international enforce- 
ment is over — currently set to expire July 1, 2001 — all EU member states are sup- 
posed (eventually) to shut down the flows of data to any company located in such 
a jurisdiction, unless that company contractually subjects itself to EU jurisdiction, 
EU rules, EU regulations, EU standards, EU courts, and liability to every individual 
whose information passes to the non-EU company from the territory, physical or 
electronic, of the EU. 

In an era of globalized information, the threat to shut down data flows is a re- 
markable one, but it is the heart of the Privacy Directive. The issue is not one of 
privacy, but of national sovereignty: should any nation, or group of nations, at this 
stage of the information economy be threatening to halt data flows to any other na- 
tion? In the EU, that is in fact the law imposed by the Privacy Directive, to those 
who do not provide what the EU deems to be “adequate protection” to personal data. 

In early 1996, following the shootdown of unarmed civilian planes and the murder 
of U.S. citizens by Cuban MIGs in broad daylight and without justification, Con- 
gress passed and the President signed the Libertad Act, known by the name of its 
primary sponsors as “Helms-Burton.” The Act sought to promote democracy in Cuba 
and to protect the property rights of thousands of American citizens whose property 
was confiscated without compensation by the Castro regime, by imposing sanctions 
on those who profited off that stolen property. 

After the U.S. enacted the Helms-Burton Act, the European Union issued the fol- 
lowing statement: 
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“The European Union is opposed to the use of extraterritorial legislation, both 
on legal and policy grounds. In the last few years, there has been a surge of 
US extraterritorial sanctions legislation both at federal and sub-federal 
level... Such laws represent an unwarranted interference by the U.S. with the 
sovereign rights of the EU to legislate over its own citizens and companies, and 
are, in the opinion of the EU, contrary to international law.” 

The EU complained that it was a violation of international law that the Helms- 
Burton Act empowered individuals to file private lawsuits against EU companies 
who were acting in compliance with the terms of their domestic laws. 

Accordingly, the EU demanded that the US suspend the right of anyone to sue 
an EU company under Helms-Burton. 

The EU also filed suit in the World Trade Organization against the U.S., seeking 
a ruling that Helms-Burton violated international trade laws. Eventually, the mat- 
ter was resolved through a remarkable diplomatic effort undertaken by then Under 
Secretary of State Stuart Eizenstat, which enabled all the parties to back off from 
turning a disagreement over policy and property rights into a trade battle. 

While Helms-Burton only affected issues pertaining to property in Cuba, one 
country among some 180 UN member states, the Privacy Directive is global in its 
application to data that flows out of the EU’s borders, and governs not merely real 
estate or business property but all personal data, except that deemed public under 
the laws of individual countries. As a result, the Privacy Directive has the con- 
sequence of turning the processing of information by anyone, anywhere, at least in 
a business context, into a regulated industry. The EU’s contention that the Privacy 
Directive only affects information that is exported from the EU and is not extra- 
territorial makes a debating point, but one that is at odds with the plain facts. In 
a wired world, literally millions of communications containing personal information 
go back and forth between the U.S. and the EU every day. A standard that insists 
that all such information flows adhere to an EU privacy regime is a standard that 
imposes EU law on the entire world. 

It is not unfair to characterize the Privacy Directive as the “EU’s Helms-Burton 
Act,” except perhaps to the authors of Helms-Burton, who never dreamed of defining 
property rights so globally and so extraterritorially. 

Indeed, last week, I participated in a conversation with a senior official from the 
European Commission who explicitly acknowledged this fact in connection with the 
issuance of new “model contracts” to enable foreign companies to come into compli- 
ance with the Directive. She said that the new model contracts soon to be issued 
by the EU as a base-line for the handling of data from the EU to other countries 
would have “world-wide application.” 

The Privacy Directive goes beyond anything contemplated by Helms-Burton in 
providing for extraterritorial impact on U.S. companies, interference with the sov- 
ereign rights of the U.S. to legislate over its own citizens and companies, and per- 
mitting EU citizens — and indeed, under certain circumstances — U.S. citizens, to sue 
U.S. companies for actions that would be legal under domestic U.S. law in connec- 
tion with the processing of personal data by giving the EU’s citizens a global prop- 
erty right in all of their personal information. 3 

6. THE OBLIGATIONS IMPOSED BY THE PRIVACY DIRECTIVE AS IT IS NOW BEING 
INTERPRETED ARE POTENTIALLY VERY BURDENSOME, ESPECIALLY FOR B2C BUSINESSES. 

It can be difficult to make sweeping statements about the meaning the Privacy 
Directive because different EU entities and persons have interpreted the Directive 
differently at different times. At one point, for example, the European Commission 
issued a statement reporting that the Directive protected solely the data of Euro- 
pean citizens or residents. Later, this was judged to be incorrect, and the EU made 
it clear that it applied to all personal data that was being processed within the EU. 
Moreover, the guardians of privacy within the EU, represented by the EU’s “Article 
29” Committee, have issued an ever accreting set of standards, guidance, and opin- 
ions, with the professed intention of systematically strengthening privacy protection. 


3 Elsewhere, I have expressed concerns about the risk to the public space caused by turning 
personal information into a property right. If every fact about every person, beginning with his 
or her name and address, becomes private data that he or she controls, what space is left for 
public communication about public matters? This is a very serious political and policy issue 
which assumes Constitutional dimensions in the United States, given our history of support for 
free expression about all matters — including other people — as set forth I the First Amendment. 
See e.g. “Regulating the Free Flow of Information: A Privacy Czar as the Ultimate Big Broth- 
er?”, Jonathan M. Winer, The John Marshall Journal of Computer & Information Law, Decem- 
ber 2000. 
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The result is that the obligations for companies under the Directive are to some con- 
siderable extent a moving target. 

The ultimate level and vigor of the enforcement of the Privacy Directive by EU 
Member States remains uncertain, and a number of matters of detail pertaining to 
privacy are still under development by the European Commission. Nevertheless, the 
parameters of the possible obligations of companies based in the U.S. and other 
countries whose national laws have not been deemed to be adequate by the EU, cur- 
rently appear to include: 

• Agreeing to submit all of their data processing facilities, files and documents to 

audit by companies in the EU who are sending them data, and by each of the 
Data Protection Authorities established in the EU. 

• Promising ahead of time to cooperate with each of the EU’s privacy czars on any 

inquiry they may make regarding data processing and to abide by any order the 
privacy czar chooses to give, regardless of whether the U.S. company considers 
the order proper, lawful, or practical, and regardless of cost. 

• Limiting the use of data only to the purposes for which the data has been trans- 

ferred. 

• Storing the data only as needed to carry out the purposes for which the data has 

been transferred, and then destroying it. 

• Promising not to retransfer the data to an entity in a jurisdiction whose laws are 

not deemed to offer adequate protection unless the data subject has opted in 
to such transfer in the case of sensitive data, or has been given an opt-out op- 
portunity in all other cases 

• Providing the data subject access to all data relating to him or her being proc- 

essed in the U.S. 

• Allowing the data subject the right to correct or delete data that has become inac- 

curate. 

• Allowing the data subject the right to object to the processing of his or her data 

on compelling grounds based upon his or her particular situation. 

• Naming a privacy officer to handle inquiries from the EU. 

• Agreeing to allow anyone whose personal data is transferred from the EU to a 

firm located in the U.S. to sue as a “third party beneficiary” for violation of any 
of the above provisions under any contract that permits a U.S. company to im- 
port their data. This right to sue would appear to include not just European 
citizens, but any U.S. citizen whose data has been moved through the EU back 
to the U.S. Since the right to sue would be a contractual one, in theory that 
right might well be enforceable by U.S. citizens against U.S. companies in U.S. 
courts . 4 

7. SOME OF THE BROAD PRIVACY PRINCIPLES LOOK GOOD IN THEORY, BUT MAY NOT BE 
SMART (OR PROTECT PRIVACY) IN PRACTICE. 

Whether the obligations in the Privacy Directive are a good or a bad idea, they 
are not today the law in the U.S. Indeed, the U.S. Congress has to date declined 
to make them the law of the U.S. Important arguments can be advanced by reason- 
able people in favor of and against all of the EU obligations, many of which prove 
as complex to operate in practice as they are simple to articulate in principle. 

For example, the right of access, mandated by the Privacy Directive, states in es- 
sence that every person should have to review and correct all the data that is held 
by any company about them. Stated simply, the right sounds unobjectionable. But 
many, perhaps most companies around the world, especially large ones, do not cen- 
tralize their data bases on individuals. Rather, bits and pieces of information about 
individuals may be contained in many locations at a company. For example, in a 
Congressional office, each staffer of each Congressman may have their own personal 
contact directories set up, or case files pertaining to handling the needs of constitu- 
ents. While some Congressional offices might centralize such data, most would not, 
and might even view such centralization of data as a potential threat to the privacy 
of the constituents. To implement a right of access, a company would need to be 
able to assemble all of its personal data about people easily into one place, for the 
review of the data subject. The process of assembling and centralizing that data car- 
ries with it real risks to privacy, especially if such data can be subpoenaed in civil 
cases or criminal investigations, both of which are permitted under the Directive. 
The problem becomes especially severe with large companies which have many dif- 
ferent consumer divisions that handle personal information. Is it really good privacy 


4 Some of the above provisions can probably be avoided by a U.S. company that enters the 
Safe Harbor, but only to the extent that the data flows go from the EU to the U.S. and do not 
also include, for example, another country such as India or Mexico. 
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policy to require such companies to centralize all of the data they may possess on 
all data subjects in order to permit them to easily provide consumers a right of ac- 
cess and correction? In the case of an internet service provider, would that include 
all identifiable references to these persons on the e-mail traffic processed by the 
company? Certainly, there are fair arguments to suggest that such centralization 
may in fact threaten, rather than protect, privacy. 

These issues become even more complex when they are taken beyond the context 
of mainframe computers — the technology that was the main concern at the time the 
Directive was conceived — to intranets, extranets, e-mails, telecopies, the World Wide 
Web, lap top computers, smart phones, and hand-held wireless communicators, all 
of which are theoretically fully subject to the Privacy Directive’s requirements for 
consent, notice, access, uses limited to consent, right to correct, and so on. 

Other privacy rights guaranteed in the Directive may prove to of equal simplicity 
in statement, and equal complexity in practice. As former Clinton Administration 
privacy czar Peter P. Swire and Brookings Professor Robert E. Litan have written 
about the Directive, in their book “None of Your Business,”: 

“Under the European Directive, many routine and desirable transfers of infor- 
mation would apparently be restricted. For instance, as written, the Directive 
would appear to hinder pharmaceutical research, could post a major obstacle to 
investment banks’ collection of important information about companies, and 
would call into doubt many mainframe and intranet applications that involve 
processing data in the United States or other third countries .” 5 

8. NON-COMPLIANCE WITH THE DIRECTIVE WITHIN THE EU IS MASSIVE. 

Professors Swire and Litan go on to note that EU officials tell the U.S. not worry 
about the Directive, that the EU will proceed with implementing the Directive sen- 
sibly and incrementally, by encouraging good privacy practices and imposing few 
penalties on individual organizations. The problem with these assurances, as Swire 
and Litan state explicitly is that: 

“Europe cannot strictly enforce the letter of the Directive and at the same time 
announce that organizations can routinely ignore it. It violates the rule of law 
and fundamental fairness to enforce a law strictly against some while allowing 
others to violate the same law in the same way . . . An often expressed concern 
of U.S. -based firms is that they might be targeted for enforcement, even when 
they follow the same privacy practices as their Europe-based competitors. This 
targeting may fit the perception that American companies are less careful on 
privacy issues, and the focus may be politically popular in Europe .” 6 

This anxiety is not one that is without merit. Some five years after the passage 
of the Privacy Directive, the European Commission continues to maintain court ac- 
tion against four of its member states, France, Germany, Ireland, and Luxembourg, 
for their non-compliance with the Directive. Perhaps more to the point, there is sub- 
stantial practical evidence that non-compliance with the Directive is widespread 
throughout the European Union. 

Lawyers who practice commercial law involving international businesses see this 
every day. A few months ago, I was asked by an American company to look at the 
privacy policies and practices of an EU company that it was purchasing, as part of 
due diligence, in order to assess the potential risks of liability for the U.S. firm in 
connection with the purchase. The EU company was in a consumer business that 
caused it to acquire, process, and manipulate sensitive consumer personal data hun- 
dreds or thousands of times every day of the kind theoretically protected by the Pri- 
vacy Directive. The EU company had no on-line privacy policy. It also turned out 


5 Swire and Litan, “None of Your Business,” Brooking Institution, 1998, p. 153. The complexity 
of the compliance issued raised by the Privacy Directive is illustrated by Swire and Litan in 
Appendix B to their book, which consists of a 12 page chart summarizing some of the potential 
effects and coverage of the Directive. Among the areas Swire and Litan list as affected by the 
Directive as mainframes, client-server systems, intranets, extranets, e-mail, telecopies, the 
World Wide Web, laptop computers and personal organizers, human resources records, auditing 
and accounting functions, business consulting, calling centers and other worldwide customer 
service, payment systems for financial services, sale of financial services to individuals, invest- 
ment banking and market analysis, investment banking “hostile takeovers,” which Swire and 
Litan believe become barred by the Directive; investment banking due diligence, investment 
banking private placements, mandatory securities and accounting disclosures, individual credit 
histories, corporate credit histories, the press, nonprofit organizations generally, international 
educational organizations, international conferences, non-European governments, pharma- 
ceutical and medical device research and marketing, business and leisure travel reservation sys- 
tems, business and leisure travel frequent flyer and other affinity programs, internet service 
providers, traditional direct marketing, and direct marketing over the Internet. Id. pps. 248-260. 

6 Id at p. 155. 
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to have no off-line privacy policy. In fact, it had no privacy policy at all, and after 
due diligence, we found no evidence that the EU company, had ever undertaken 
steps to comply with the Directive. Ultimately, we advised the U.S. company, which 
has comprehensive privacy policies in place, to seek indemnifications from the EU 
company in case the EU privacy regulator decided to sanction it. The EU company 
was happy to do so: it advised the U.S. company that in this EU country at least, 
the actual issuance of penalties for non-compliance with the Privacy Directive and 
with national privacy laws, was almost unknown. 

Thus, it is not surprising that EU consumers groups recently found that Internet 
users’ privacy is better protected in the U.S. than in Europe, despite the Directive 
and all of the EU’s tough national privacy laws. As Consumers International, a UK- 
based federation of 263 consumer organizations, with members in 100 countries, 
found in a report released January 25, 2001, assessing 750 top world-wide web sites: 

• Despite tight EU privacy legislation, researchers did not find that sites based in 

the EU gave better information or a higher degree of choice to their users than 
sites based in the US. Indeed, U.S. -based sites tended to set the standard for 
decent privacy policies. 

• Many EU sites are failing to comply with EU rules that state that they must pro- 

vide the data subject with the opportunity to opt out if their data is to be used 
for direct marketing purposes. 

• The most popular U.S. sites were more likely than the EU ones to give users a 

choice about being on the company’s mailing list or having their name passed 
on, despite the existence of legislation which obliges EU-based sites to provide 
users with a choice. 7 

In short, the ongoing efforts by the EU to require other countries to adopt the 
EU’s standards for the protection of privacy is preceding, rather than following, the 
EU effectively securing enforcement of its laws within the borders of its Internal 
Market. The EU is demanding that companies based overseas comply with a Direc- 
tive that is subject to massive non-compliance within the EU itself. 

9. THE FURTHER THREAT POSED BY THE EU’S NEW “MODEL CONTRACTS.” 

There is little reason for the Congress to delay in considering these kinds of op- 
tions. The current stand-still on enforcement by the EU is currently due to end on 
July 1, 2001, at which time U.S. firms who have not entered the Safe Harbor, or 
who like financial institutions are not eligible for the Safe Harbor, are potentially 
at risk from EU sanctions. The EU has not stood still while the Safe Harbor process 
has continued, but has developed as an alternative to Safe Harbor the approach of 
Model Contracts. These amount to contracts of adhesion whereby non-EU data im- 
porters must agree to the jurisdiction, choice of law, substantive law, authority, reg- 
ulation and oversight by EU data exporters and the EU’s privacy czars. These model 
contracts, discussed in greater depth below, have many risky elements for U.S. 
firms. Among the most troubling are the requirement in these Model Contracts for 
joint and several liability for U.S. firms with their EU counterparts for any alleged 
violation of anyone’s privacy; the requirement that data subjects be given the right 
to sue the U.S. firms for any alleged violation of their privacy; and the requirement 
that U.S. firms pre-emptively capitulate to whatever the EU chooses to order them 
to do in the event any EU entity judges them to have violated someone’s privacy. 

The EU is currently planning to adopt these Model Contracts as a recommended 
minimum floor of data protection to be enforced by each of the EU’s privacy czars 
as early as this July. In the future, these Model Contracts, or provisions similar to 
them, or based upon them, could become the de facto minimum standard for the 
processing of all data by the private sector regarding persons that leaves the EU 
(other than limited categories of public data.) Their potential risks for U.S. competi- 
tiveness, and the risks they pose of creating an unfair burden on non-EU entities 
throughout the world, can hardly be overstated. Just last week, a senior European 
Commission official acknowledged that most countries’ privacy laws would never be 
found to be “adequate” under the Directive, and that the Model Contracts would 
therefore have global application. 

It is very important to the components of U.S. industry that are outside the Safe 
Harbor, including financial services, that the Model Contracts not be used as a 
mechanism to force them into undertaking obligations that vastly exceed the obliga- 
tions undertaken by companies permitted to enter the Safe Harbor. It is also impor- 
tant that the Model Contract process not be permitted to overtake, and overwhelm, 


7 Privacy@net, An international comparative study of consumer privacy on the internet, Janu- 
ary, 2001, published by Consumers International, and available at www. consumers 
international.org. 
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the ongoing talks between the US and the EU on obtaining a finding of adequacy 
for the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act, with their de- 
tailed regulations, under the Directive. The EU needs to understand that U.S. laws, 
too, need to be respected, just as the laws of its Member States must be. 

10. OPTIONS FOE U.S. POLICY MAKERS AND THE CONGRESS. 

In light of the potential impact of the Privacy Directive on U.S. trade, the exercise 
of First Amendment rights, and U.S. competitiveness, the U.S. Congress should take 
a careful look at its range of options. These could include the following, which of- 
fered as an illustrative, and incomplete list of possibilities: 

• Enacting U.S. federal laws that mimic those of the European Union, granting 

every person whose information is processed in the United States the right to 
sue anyone who has used that information for any purpose without their con- 
sent. This option risk running into substantial First Amendment and other Con- 
stitutional limitations, for the reasons expressed in great detail by Professor 
Volokh in his testimony before this Committee last week. Exercising this option 
would also turn every processor of information in the private sector into a mem- 
ber of a regulated industry, requiring a dramatic expansion of government con- 
trol of the U.S. private sector, providing new opportunities for crowding U.S. 
courts with allegations of privacy torts, by Americans and overseas persons 
alike. 8 

• Pressing the EU to recognize, as international consumer groups have, that the 

U.S. system for protecting privacy is in practice at least as effective as that of 
the EU, and therefore constitutes adequate protection, eliminating the risk of 
the disruption of data flows. 

• Doing as the EU did in response to Helms-Burton, and treating any efforts by the 

EU to enforce its Privacy Directive against U.S. companies in a fashion that is 
extraterritorial as an improper restraint of trade suitable for resolution by the 
World Trade Organization. 

• Doing as Canada did in response to Helms-Burton, and imposing a blocking stat- 

ute that in effect, prohibits firms from complying with the Directive to the ex- 
tent that it is inconsistent with U.S. law, and allowing U.S. firms to “claw back” 
damages from any EU counterparts caused by their use of the Privacy Directive 
to the injury of the U.S. firm. 

• Creating a “Safe Harbor” for U.S. firms that adhere to U.S. federal privacy laws, 

by making compliance with such a laws a “per se” defense to any private cause 
of action for alleged breach of privacy or related claims in any court based in 
the U.S. 

• Further developing a regime of informed consent, under which companies that 

provided mechanisms for consumers to exercise informed consent were given a 
safe harbor against privacy claims in U.S. courts, so long as they lived up to 
their contractual obligations to data subjects. 

• Asking the U.S. Trade Representative to consider recommending to the President 

the use of appropriate sanctions under Super 301 or other trade authorities to 
insure adequate protection of U.S. firms through proportionate measures to re- 
spond to any injuries to U.S. companies by the EU. 

The Congress has some less dramatic additional interim options which could do 
much both to protect privacy, the First Amendment, and to simultaneously protect 
American competitiveness and trade. These include: 

• Asking the Executive Branch to secure from the EU a detailed assessment of the 

existing compliance with the Privacy Directive by firms based in the EU, prior 
to negotiating further obligations for U.S. firms to comply with the Directive. 

• Seeking and obtaining assurances from the EU that no action will be taken 

against U.S. -based firms for alleged violations of the Directive, until the EU can 
provide evidence that most EU-based firms have come into compliance with the 
Directive. 


8 See also Swire and Litan, id, at p. 122. “A strict interpretation of the Directive could ban 
a great many practices by the press. The tension between the press and privacy laws is clear 
enough: an important responsibility of the press is to publicize personally identifiable informa- 
tion. In reporting on politics, business, entertainment, and sports, journalists routinely discuss 
named individuals. Often the reporting is done without the consent of the subject . . . Under Arti- 
cle 9 of the Directive, member states can make exemptions for the press, but the exemptions 
must be ‘solely for journalistic purposes’ and ‘only if they are necessary to reconcile the right 
to privacy with the rules governing freedom of expression.’ This language seems to emphasize 
privacy rights and give relatively little scope to protecting free expression. As governed by Arti- 
cle 9, the press will face compliance difficulties when it transfers personal information out of 
Europe.” 
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• Seeking and obtaining assurances from the EU that no action will be taken 

against U.S.-based firms for alleged violations of the Directive until the EU can 
demonstrate that it has effective mechanisms in place to prevent similar alleged 
violations by other countries around the world that process substantial amounts 
of personal data from the EU, including Brazil, China, Egypt, India, Indonesia, 
Israel, Japan, Malaysia, Russia, South Africa, South Korea, Sri Lanka, Taiwan, 
Thailand, among others. 

• Insuring that EU Member States do not in practice force U.S. firms to enter into 

“Model Contracts” in order to import personal data from the EU that would cre- 
ate contractual rights for data subjects that would enable them to fill U.S. 
courts with privacy litigation, including class actions. 

• Asking the GAO to determine the regulatory capacity of the U.S. to enforce the 

existing Safe Harbor and/or the broader parameters of the Privacy Directive 
were it applied to all processing of personal data by U.S. companies, and to esti- 
mate the potential cost of developing the regulatory capacity to administer the 
equivalent of the Directive in the U.S. 

• Asking the Department of Commerce and the Office of the Trade Representative 

to develop a menu of possible options to respond to any cut-offs of data flows 
from the EU to the United States and to provide a report to Congress specifying 
these options. 

• Asking the Office of the Trade Representative to review whether data protection 

laws at the national or EU level may violate the free trade rules administered 
by the World Trade Organization, a recommendation advocated for consider- 
ation several years ago by Professors Litan and Swire, and to develop the ana- 
lytic and factual basis for making such a case in the event that the EU improp- 
erly imposed sanctions on U.S. -based firms. 

• Asking the Department of Commerce to catalogue the benefits of maintaining the 

existing data flows, and to assess the damage that might be done were they to 
be impeded by enforcement action by the EU under the Privacy Directive, 

11. FINAL THOUGHTS. 

In conclusion, your Committee has taken on an enormous issue in focusing on the 
impact of the Privacy Directive on the U.S. The Directive is not, unfortunately, a 
unique provision. Bit by bit, in its effort to harmonize its own laws for its internal 
market, the EU is developing other Directives that will come to have an increasingly 
global impact in setting standards for the whole world. Some of these Directives will 
surely contain sensible and useful elements. Others may reflect mistaken choices in 
policy. In either case, the U.S. needs to develop mechanisms to provide early warn- 
ing on the impact of such Directives on the U.S., on U.S. competitiveness, and on 
U.S. Constitutional and policy values. The U.S. and the EU come from different his- 
tories, and in some areas, such as the area of what is appropriate governmental reg- 
ulation, from different philosophies. The U.S. economy has been the strongest in the 
world throughout the years of the ongoing information revolution and the develop- 
ment of the world’s new economy. It would be a tragedy if the laws and rules of 
other jurisdictions were permitted to put our economy at risk, and to threaten the 
free flow of information so necessary to the world’s further economic development, 
however noble the intentions or lofty the goals. 

With your permission, I would like to include with this testimony more detailed 
analyses of the major provisions of the Privacy Directive and the US-EU Safe Har- 
bor, and of the new Model Contracts being proposed by the EU for adoption and 
application world-wide later this year. 

Thank you. I look forward to responding to any questions, and to providing the 
Committee with any form of assistance you may request. 

* * * 

Analysis of the EU Privacy Directive and the Safe Harbor 

A. THE EU PRIVACY DIRECTIVE. 

The European Union’s Privacy Directive became effective on October 25, 1998. 
The Directive: 

• Embraces individual privacy as a fundamental human right; 

• Applies to the processing and transfer of personal data concerning EU residents; 

• Requires the EU individual’s consent for gathering and dissemination of personal 

information; 

• Applies to all entities that gather, store or use personal data concerning EU resi- 

dents, including those in the U.S. and every other country; 
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• Covers personal data transfers not only among affiliates, but even within a single 

corporate entity if the data is exported beyond the EU; 

• Includes all data, electronic and non-electronic; 

• Demands that data must be destroyed when no longer needed for the original pur- 

pose; 

• Is enforced in each EU Member State by the Data Protection Authority, which 

operates independently of the government; 

• Provides for civil suits with damages; and 

• Provides extraterritorial protections that restrict the transfer of covered personal 

data to only those non-EU countries that provide an “adequate” level of privacy 
protection. 


B. THE SAFE HARBOR AGREEMENT. 

The Safe Harbor Privacy Principles, negotiated between the U.S. Department of 
Commerce and the European Union and agreed to in July 2000, grant U.S. compa- 
nies who are subject to the jurisdiction of the FTC or the Department of Transpor- 
tation a presumption of “adequacy” of protecting personal data for purposes of the 
Directive, thereby allowing data transfers from the EU to continue to that company. 
U.S. organizations that choose not to qualify for the Safe Harbor will only be able 
to transfer data from the EU under one of the allowed exceptions or with an alter- 
native safeguard, such as an EC-approved contract with the EU entity transferring 
the data— an approach permitted in theory but not yet available due to the European 
Commission’s failure thus far to adopt model contract provisions. In the meantime, 
the negotiations over treatment of financial services companies have not been com- 
pleted, leaving banks, savings and loans, and credit unions, other than their affili- 
ates under certain conditions, outside the Safe Harbor. 

Briefly, the Safe Harbor: 

• Consists of the seven principles of notice, choice, onward transfer, security, data 

integrity, access, and enforcement; 

• Is voluntary; 

• Applies forever to all EU personal data received during the company’s participa- 

tion, even if the company later leaves the Safe Harbor; 

• Has been available since November 1, 2000 to U.S. organizations through two 

qualifying options: (1) joining a self-regulatory organization; or (2) implementing 
appropriate self-regulatory privacy policies; 

• Offers protection against direct enforcement by EU Data Protection Authorities 

(“DPAs”), although if an individual DPA working in conjunction with the FTC 
finds a violation or “substantial likelihood” of a violation, it will be permitted 
to bring enforcement against a U.S. company; and 

• Does not protect U.S. organizations against private rights of action by EU resi- 

dents, who may initiate privacy actions under their respective national laws. 

1. Signing Up for the Safe Harbor Program. 

The U.S. Department of Commerce has had the Safe Harbor program in place and 
available for participation by U.S. companies on November 1, 2000. As of March 5, 
2001, 26 U.S. companies had signed up for the Safe Harbor. There is as yet no fixed 
date by which U.S. organizations must either join the Safe Harbor or risk disrup- 
tions in the transfer of information from EU Member States. The current stand-still 
on enforcement by the EU runs out on July 1, 2001, although EU officials have pri- 
vately told U.S. officials that they anticipate extending the standstill for a further 
period as they continue to efforts to secure compliance with the Directive within the 
EU’s Internal Market.. 

Safe Harbor members remain subject to the substantive requirements of the Di- 
rective and open to private rights of action by EU residents. 

2. Qualifying for the Safe Harbor. 

There are several methods by which organizations may qualify for the Safe Har- 
bor. An organization may self-certify to the Department of Commerce that: 

• It has joined a self-regulatory organization that adheres to the Principles; 

• It has implemented privacy policies that conform with the privacy principles of 

the Directive; or 

• It is subject to a statutory, regulatory, administrative or other body of law that 

effectively protects personal privacy consistent with the Directive. (Note: To 
date, the EU has not accepted that any U.S. law meets this standard, so this 
option is not currently available to U.S. companies.) 

Alternatively, an organization may enter into EU-approved contracts directly with 
the entities in the EU that transfer data to the U.S. (Note: This option is also not 
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yet available in practice, as such contracts must follow forms approved by the Euro- 
pean Commission, which has not yet issued such forms. However, the Model Con- 
tracts are nearing the completion phase, and are due to be recommended by the rel- 
evant committee overseeing the Directive, the so-called “Article 31” Committee, in 
late March, 2001. Further discussion of the Model Contracts is set forth below.) 

Organizations that rely on self-regulation and self-certification are subject to FTC 
enforcement for unfair or deceptive trade practices with respect to any misrepresen- 
tations concerning their adherence to the Principles. Companies that choose to self- 
regulate and self-certify must provide the Department of Commerce a self-certifi- 
cation letter on an annual basis. The Department of Commerce has agreed to estab- 
lish and maintain a publicly available list of companies adhering to the Principles. 
An organization that fails to submit an annual self-certification letter will be re- 
moved from the list and Safe Harbor benefits will no longer be assured via this 
mechanism. Safe Harbor benefits begin on the date an organization self-certifies to 
the Department of Commerce. Once an organization joins the Safe Harbor, it must 
apply the Principles to covered data for as long as it stores, uses or discloses the 
data, even if it subsequently leaves the Safe Harbor. 

3. Applying the Safe Harbor’s Seven Privacy Principles (Building a Privacy Pro- 
gram). 

The Principles are comprised of the basic concepts of notice, choice, onward trans- 
fer, security, data integrity, access, and enforcement. Any organization qualifying 
for the Safe Harbor program must develop a privacy policy that complies with these 
seven basic principles. 

a) Notice. The U.S. organization must provide EU individuals with clear and con- 
spicuous notice regarding the purposes for which it collects and uses their personal 
information; how to contact the organization with inquiries or complaints; the types 
of third parties to which it discloses the information; and the choices and methods 
available to the individual for limiting its use and disclosure (the Notice). Personal 
data and information are defined in the Principles as “data about an identified or 
identifiable individual that are within the scope of the Directive, received by a U.S. 
organization from the European Union, and recorded in any form.” 

The organization must supply the Notice when individuals are first asked to pro- 
vide personal information or as soon thereafter as practicable, but prior to disclosing 
the information to a third party or using it for any purpose other than that for 
which it was originally collected. When disclosing information to a third party that 
is operating as an agent (such as an outsourcer or other third party service pro- 
vider), the organization is not required to provide Notice. 

b) Choice. A qualifying organization must allow individuals to opt out of: (a) dis- 
closing their information to a third party; and (b) using their information for a pur- 
pose other than that for which it was originally collected. The Principles do not de- 
fine the term “organization,” leaving unanswered the question of whether an organi- 
zation may share data with its affiliates without a formal opt-out procedure. 

Individuals must affirmatively consent (opt in) to an organization’s disclosure of 
sensitive personal information to a third party or using it for a purpose other than 
that for which the information was originally collected. Sensitive information in- 
cludes personal information specifying medical or health conditions, racial or ethnic 
origin, political opinions, religious beliefs, trade union memberships, information 
specifying the sex life of the individual, and any information submitted by a third 
party as sensitive information. There are limited exceptions; for instance, opt-in ap- 
proval is not required when the sensitive information is necessary to carry out the 
organization’s employment obligations. 9 

c) Onward Transfer. Organizations may only disclose personal information to 
third parties consistent with the principles of notice and choice. With respect to 
transfers of personal data to a third party acting as an agent, an organization must 
determine either that the Agent subscribes to the Principles or is subject to the Di- 
rective, before transferring the data. If the agent does not meet one of these require- 
ments, the contract between the organization and the agent must obligate the agent 
to provide at least the same level of privacy protection as required under the Prin- 
ciples. If an organization complies with this requirement, it will not be held respon- 
sible for an agent’s improper processing of the personal data, unless it knew or 
should have known that the third party would process the information improperly. 

d) Security. Organizations that collect, maintain, use or disclose personal informa- 
tion must take reasonable precautions to protect such personal information from 
loss, misuse and unauthorized access, disclosure, alteration and destruction. 


9 See Draft, Frequently Asked Questions (FAQs) FAQ 1 — Sensitive Data (all FAQs are acces- 
sible from http://www.ita.doc.gov/td/ecomymenu.html; hereinafter referenced as “FAQ ”). 
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e) Data Integrity. Organizations may collect only that personal information rel- 
evant to the purpose for which it will be used and must take reasonable steps to 
ensure that such personal data is not only reliable for its intended use, but is also 
accurate, complete and current. If an organization is serving merely as a conduit 
for personal data transmitted by third parties (e.g., ISPs, telecommunications car- 
riers, or others that merely transmit, route, switch or cache information) and does 
not determine the purposes and means of processing such data, it will not be held 
responsible for any violation of the Principles by the third parties transmitting such 
data. 10 

f) Access. The right of access is considered fundamental to the Principles, but it 
is not absolute. Organizations must give individuals access to their personal infor- 
mation and the ability to correct, amend or delete inaccurate information, except 
where the burden or expense of providing access is disproportionate to the individ- 
ual’s privacy rights at issue or where the rights of persons other than the requesting 
individual would be violated. 11 Individuals are not obligated to justify any request 
for access to their own personal data and organizations are permitted to charge a 
reasonable fee for such access. If an organization decides to deny access, it must be 
for a specific reason and the organization must provide an explanation of its deci- 
sion to the requesting individual. 12 

g) Enforcement. Safe Harbor organizations must implement compliance procedures 
or mechanisms. At a minimum, this must include: (a) readily available and afford- 
able independent recourse mechanisms by which an individual’s complaints are in- 
vestigated and resolved and damages awarded as provided under applicable law or 
private sector initiatives; (b) follow-up procedures for verifying that the assertions 
businesses make about their privacy practices are true and have been implemented 
as presented; and (c) obligations to remedy problems arising out of failure to comply 
with the Principles and consequence for violators. 

An organization may satisfy the dispute resolution requirements set forth in (a) 
and (c) above by: (1) agreeing to cooperate with DPAs located in the European 
Union; (2) complying with private sector-developed privacy programs that incor- 
porate the Principles into their rules and that include effective enforcement mecha- 
nisms of the type described in the enforcement principle; (3) complying with legal 
or regulatory supervisory authorities that provide for the handling of individual 
complaints and dispute resolution; or, (4) any other mechanism devised by the pri- 
vate sector that meets the requirements of the enforcement principle. 

An organization may fulfill the verification requirement of (b) of the enforcement 
principle either through self-assessment or outside compliance reviews. Under the 
self-assessment approach, an organization must issue an annual written verification 
statement, signed by a corporate officer or other authorized representative and 
made available upon request. 13 Under the outside compliance approach, reviews 
should be conducted at least once a year and should demonstrate that an organiza- 
tion’s privacy policy conforms to the Principles, and that the organization is in com- 
pliance. 14 

4. How Violations May Be Enforced . 

Violations of the Safe Harbor Privacy Principles may be enforced in several ways. 
An organization that chooses to subject itself to DPA enforcement must agree to: 
(a) cooperate with the DPAs in the investigation and resolution of complaints 
brought under the Safe Harbor; (b) comply with any advice given by the DPAs, in- 
cluding remedial or compensatory measures; and (c) provide the DPAs with written 
confirmation that such action has been taken. Organizations must comply with the 
advice of the DPAs within 25 days. If the organization has not complied, or prof- 
fered a satisfactory explanation for its non-compliance, the DPA will submit the 
matter to the FTC or other U.S. federal or state body with statutory powers to take 
enforcement action. Any failure to cooperate with the DPAs or to comply with the 
Principles will be actionable as a deceptive practice under Section 5 of the FTC 
Act. 15 

The FTC has agreed to review on a priority basis any complaints of Safe Harbor 
violations referred by privacy self-regulatory organizations (such as TRUSTe and 
BBBOnline) or EU member nations. If the FTC finds a violation, it may seek an 
administrative cease and desist order (with potential civil penalties) or file a com- 


10 See FAQ 3. 

1 1 See FAQ 8. 

12 See FAQ 8 for a detailed explanation of the access principle. 

13 See FAQ 7. 

14 See FAQ 7. 

15 See FAQ 5. 
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plaint in a federal district court (with potential civil or criminal contempt charges). 
If an organization persistently fails to comply with the Principles, it will be denied 
the benefits of the Safe Harbor. 

5. Exceptions to the Principles. 

The Principles provide for exceptions in certain limited circumstances. These in- 
clude: (a) where necessary to meet national security, public interest or law enforce- 
ment requirements; (b) where statutes, government regulations or case law create 
conflicting obligations or explicit authorizations, provided an organization can dem- 
onstrate that its non-compliance is limited to the extent necessary to meet the over- 
riding legitimate interests furthered by such authorization; or (c) where the effect 
of the Directive or a Member State’s law is to allow exceptions, provided they are 
applied in comparable contexts. 

6. Current Data Transfers Protected for the Time Being. 

Pursuant to Article 26 of the Directive, Member States may permit a transfer or 
a set of transfers of personal data to a third country that does not ensure an ade- 
quate level of protection if: (a) the data subject has given his consent unambiguously 
to the proposed transfer; (b) the transfer is necessary for the performance of a con- 
tract between the data subject and the controller or the implementation of pre-con- 
tractual measures taken in response to the data subject’s request; (c) the transfer 
is necessary for the conclusion or performance of a contract in the interest of a data 
subject between the controller and a third party; (d) the transfer is necessary or le- 
gally required on important public interest grounds; (e) the transfer is necessary to 
protect the vital interests of the data subject; or (f) the transfer is made from a reg- 
ister which, according to laws or regulations, is intended to provide information to 
the public and which is open to public consultation. 

7. Effectiveness to Be Evaluated in 2001, 2003. 

The Commission will review the initial progress of the Safe Harbor program in 
mid-2001. This interim evaluation will be conducted by the Department of Com- 
merce and the Commission to determine whether any organizations have joined the 
Safe Harbor and whether their privacy programs have been successful. If U.S. orga- 
nizations are either not participating in the Safe Harbor, or are not complying with 
the Safe Harbor requirements, the Department of Commerce and the Commission 
will re-evaluate the Safe Harbor and may at that time set a date by which U.S. or- 
ganizations must comply or risk disruptions in data transfers from Member States. 
The Commission will then conduct a more formal review of its decision and the ef- 
fectiveness of the Safe Harbor in 2003. 

8. Timing of Safe Harbor Decision. 

For most U.S. companies, there have been three natural opportunities to make 
judgments about whether to enter the Safe Harbor: (1) the initial period after No- 
vember 1; (2) the spring of 2001, following the formation of a new Administration 
and the resumption of U.S. and EU negotiations over financial services; and (3) 
June, 2001, before the current enforcement stand-still is theoretically due to expire. 
As set forth above, very few U.S. companies took advantage of the initial period, 
nor does their currently appear to be a rush to sign up. Most companies have been 
well-advised to defer their decisions until close to the deadline for the end of the 
stand-still, when it may become easier to assess actual EU enforcement intentions. 

9. Safe Harbor Intended to Provide Predictability and Harmonization. 

The Department of Commerce has described the Safe Harbor as providing “pre- 
dictability and continuity for U.S. and EU companies that are sending and receiving 
personal information from Europe.” 16 The principal benefit ascribed to the Safe Har- 
bor is that it makes automatic the approval by all EU Member States of data trans- 
fers to participating U.S. companies, giving a presumptive finding of adequacy for 
any company that has signed up, articulated its commitment to the Principles, and 
specified its agreement to an enforcement mechanism. In addition, the Directive is 
designed to be implemented by laws in each of the fifteen countries that are mem- 
bers of the EU. These laws vary significantly. By providing a single set of data pro- 
tection rules, the Safe Harbor may offer advantages for companies that operate in 
more than one EU country. 


16 The Safe Harbor Privacy Principles, Frequently Asked Questions and other supporting final 
documents, including further information on the Safe Harbor list and European Commission 
supporting documents, are available from the DOC at: http://www.ita.doc.gov. Organizations will 
also be able to sign up for the Safe Harbor list at this Web site. 
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At the same time, these benefits come at a significant cost. Participation requires 
U.S. companies to undertake substantive privacy obligations that go far beyond 
those required under current U.S. law. The Principles require not merely notice and 
choice for consumers, but a commitment by the Safe Harbor participant not to 
transfer personal data to any third party unless the Safe Harbor participant is as- 
sured that the third party also adheres to the Principles. Participating companies 
must also provide access for each individual to all of their personal information held 
by the organization, and the right to correct, amend or delete inaccurate informa- 
tion. In general, U.S. companies that sign on to the Safe Harbor automatically sub- 
mit themselves to the jurisdiction of the Federal Trade Commission (FTC), which 
will have the authority to enforce the Safe Harbor by treating failures to comply 
with posted privacy policies as unfair or deceptive trade or business practices. Com- 
panies that do not abide by their Safe Harbor commitments may also be subject to 
civil actions for damages brought directly by individual European citizens. 

10. Key Terms Still Ambiguous. 

Applying the Safe Harbor could be especially complex for U.S. companies whose 
structure includes multiple corporate units handling different kinds of personal in- 
formation for different purposes. Key terms used in the Principles, such as “organi- 
zation” and “third party,” remain intentionally undefined because of differences be- 
tween the U.S. and the EU over the meaning of the terms. These ambiguities make 
it difficult to determine whether a transfer of personal information is within the “or- 
ganization” and permissible or to a “third party,” requiring consumer consent. Dif- 
fering interpretations of the law by the individual EU Privacy Commissioners raise 
other uncertainties, as does the mix of enforcement mechanisms in the U.S. and in 
the EU. 

11. Status of U.S. Financial Institutions Remains To Be Negotiated. 

Financial institutions, as broadly defined under the Financial Services Moderniza- 
tion Act of 1999 (the “Gramm-Leach-Bliley” bill or “GLB,”) face separate issues. The 
U.S. and the European Commission were unable to reach agreement that GLB ade- 
quately protects privacy, in large part because GLB permits the sharing of person- 
ally identifiable information among affiliates. As a result, compliance with GLB for 
financial institutions is not at this time deemed by the EU to constitute compliance 
with either the Directive or the Safe Harbor. Because the FTC’s underlying author- 
ity excludes banks, savings and loans and credit unions from FTC jurisdiction, these 
financial institutions may not participate directly in the Safe Harbor. 17 The Depart- 
ment of Commerce has advised that applications from such institutions for the Safe 
Harbor will not be accepted, because of the absence of FTC jurisdiction. 

The U.S. and the European Commission have agreed in principle to renew talks 
in an effort to secure an agreement covering financial services, but these negotia- 
tions have yet to move forward in a substantive fashion. In the meantime, the EU 
stand-still for financial services is expected to remain in place until at least July 
1, 2001, and from then, until some agreement is reached between the U.S. and the 
EU on an enforcement mechanism to permit their participation in the Safe Harbor 
or compliance with the Directive through other means. 

12. How Safe Harbor Works. 

When a company signs up for the Safe Harbor, it is obligated to apply the Prin- 
ciples to all data transferred after the date it enters the Safe Harbor, except data 
that is manually processed. That obligation remains regarding that data forever, 
even if the company later withdraws from the Safe Harbor. To qualify, a company 
must also specify to which enforcement agency’s jurisdiction it is submitting. At this 
time, only two U.S. agencies have been granted recognition by the EU for this pur- 
pose: (1) the Department of Transportation, for airline carriers, computer reserva- 
tion systems and other entities it regulates; and (2) the FTC for all other U.S. busi- 
nesses (except as noted above). 

13. Qualifying for the Safe Harbor. 

The DOC is administering the Safe Harbor and has posted rules for signing up. 18 
The rules include: 

• Notification to the DOC by a corporate officer by mail or through www.ita.doc.gov/ 

ecom that the organization adheres to the Principles; 

• A request to be put on the Safe Harbor List; 


17 See 15 U.S. C. §45(a)(2) and §45(a)(f)(l), for a description of the FTC’s jurisdictional limits. 
18 See http://www.ita.doc.gov. 
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• Public declaration by the organization that it adheres to the Principles and the 

inclusion of this statement in a published privacy policy; and 

• Specification that it is subject to the jurisdiction of the FTC or the Department 

of Transportation, and further specification of any self-regulatory body, such as 
TRUSTe or BBBOnline, whose rules it is applying as a means to adhere to the 
Principles. 

C. ANALYSIS OF THE NEW EU MODEL CONTRACT FOR PERSONAL DATA TO COMPLY WITH 
THE EU PRIVACY DIRECTIVE 

As part of securing global compliance with its Directive on Data Protection (the 
Directive), the European Union is nearing adoption of “Model Contracts” to govern 
the transfer of personal data from the EU to the United States. New draft Model 
Contracts are currently under review at the European Commission in Brussels, and 
final action could come as soon as June, 2001. To date, the U.S. government has 
not taken a position on the Model Contracts, despite their broad potential impact 
on U.S. companies. 

The new Model Contracts obligate U.S. importers of data to comply with sub- 
stantive EU data privacy law containing requirements far more onerous than those 
applicable in the United States. Compliance with the legal obligations embodied in 
the Model Contracts could create very substantial costs for U.S. companies and im- 
pact the U.S. and global economies. 

Once approved by the EU, the Model Contracts would permit an EU entity to 
send personal data to a company located in a country, such as the U.S., that the 
EU has not yet deemed to have “adequate protection” in place for personal data. 
The Directive indicates that adoption of a Model Contract is one means of achieving 
adequate protection. Under the terms of the U.S.-EU Safe Harbor agreement on 
data privacy made in July, 2000, entry by a U.S. company into the Safe Harbor is 
another means of achieving adequacy of protection. However, the Safe Harbor is not 
available to certain types of companies such as financial institutions and tele- 
communications companies, leaving them potentially no alternative to the Model 
Contracts. Furthermore, recent comments by EU officials may cast doubt upon the 
Safe Harbor as a fully sufficient means of satisfying EU regulatory requirements. 
As no other means of providing adequacy of protection has been approved by the 
EU, Model Contracts may come to be required for many U.S. companies receiving 
personal data from the EU. 19 Notably, the EU intends to create an exception to this 
requirement for a non-EU company that is merely processing data on behalf of an 
EU company and that exercises no control over the data. 

The Model Contracts raise questions of U.S. sovereignty. Under the Model Con- 
tracts, U.S. firms would be required to apply EU substantive privacy law to their 
operations extraterritorially and to submit to EU jurisdiction and auditing of their 
facilities. They also would have to accept joint and several liability, as well as the 
right of all data subjects whose data is exported from the EU to sue for alleged viola- 
tions. U.S. parties to the Model Contracts would have to provide all EU data sub- 
jects the right to access and correct all of their personal data, and the right to stop 
its use for any purpose beyond the original consent. 

The Model Contracts have come in “under the radar” while attention was focused 
on the Safe Harbor, negotiated last year between the U.S. and the European 
Union. 20 The Safe Harbor provides U.S. firms who sign up to it a finding of “ade- 
quacy” under the Directive, thus protecting them from possible disruptions in data 
flows by EU Member States. But to date, only a handful of U.S. firms have signed 
up to the Safe Harbor. As such, the EU’s drive to create the Model Contracts and 
its apparent move to require them for transactions not covered by the Safe Harbor 
appears to be an attempt to fill the wide gap left by the narrow impact of the Safe 
Harbor. 

The EU has advised that it intends to move forward with the adoption of the 
Model Contracts sending them to the European Parliament for consideration, over 
the course of the spring. The Commission has advised that the Model Contracts 
could enter into force as early as July 1, 2001, the end of the current standstill for 
enforcement of the Directive against U.S. firms. In practice, this deadline, like any 


19 It is not yet clear the extent to which existing contracts between EU and US firms gov- 
erning the processing of personal data from controller to controller will be grandfathered and 
renewable. The European Commission has informally stated that it anticipates existing con- 
tracts will remain lawful, but that the Data Protection Authorities will have the discretion to 
require tougher privacy obligations as such contracts are renegotiated. 

20 See Alston & Bird LLP Electronic Commerce and International Regulatory Advisory, “The 

EU Safe Harbor — Should Your Company Sign on Now?,” dated October 30, 2000 and located 
at: http://www.alston.com/docs/Advisories/199709/The EU Safe Harbor.pdf. 
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political timetable, remains subject to change. Significantly, July 1, 2001 is also the 
deadline for compliance by U.S. financial institutions with the privacy provisions of 
the Gramm-Leach-Bliley Act. 

U.S. ADMINISTRATION CONSIDERING RESPONSE. 

The Bush Administration is currently in the process of considering responses to 
EU queries regarding the Model Contracts. Newly arrived policymakers at the De- 
partments of Commerce and Treasury are now considering whether to act to slow 
the EU’s adoption of the Model Contracts, given their potential impact on substan- 
tial sectors of the U.S. economy and on trans-Atlantic data flows. 

If the Model Contracts are adopted, and the U.S. government does not object, U.S. 
firms who control personal data that comes from the EU, and are not part of the 
Safe Harbor, will, in essence, be forced to rapidly adopt new information manage- 
ment practices required by EU regulations. Such companies may wish to examine 
their current information management practices against the emerging laws, regula- 
tions, codes, and guidelines in the EU, to determine the feasibility and costs of com- 
pliance. 

For now, U.S. companies concerned about the potential impact of the Model Con- 
tracts may wish to express their views to the key players in the Bush Administra- 
tion, which, in addition to the Departments of Commerce and Treasury, include the 
Office of the Trade Representative, the National Economic Council, and the U.S. De- 
partment of State. 


AN OVERVIEW OF THE MODEL CONTRACTS. 

What Are the Model Contracts ? 

Under the Directive, the EU has the right to develop Model Contracts that can 
be used as mechanisms to ensure that EU Data Exporters (Data Exporters) have 
secured adequate assurances from non-EU Data Importers (Data Importers). The 
Directive does not, however, specify what elements need to be in the Model Con- 
tracts. The EU first promulgated possible text of the Model Contracts on September 
29, 2000, providing a two-week window for comment. In mid-January, EU represent- 
atives advised the U.S. Department of Commerce of the EU’s likely adoption of the 
Model Contracts in February or March. At the same time, the EU group given the 
responsibility of developing the Model Contracts by the Directive (known as the “Ar- 
ticle 29” Committee), suggested that all data flows from the EU to any non-EU enti- 
ty would have to be governed by either the Model Contracts or more stringent meas- 
ures that might be enacted by individual EU Member States who choose to provide 
even higher levels of protection. 

Relationship of Model Contracts to Safe Harbor. 

In the past, the EU characterized the Model Contracts as a possible alternative 
to the Safe Harbor for U.S. firms, and the fundamental alternative for U.S. entities 
such as financial institutions and telecommunications firms that could not partici- 
pate in the Safe Harbor. This position finds direct support in the language of the 
EU-US Safe Harbor agreement. Now, however, comments by EU officials in the “Ar- 
ticle 29” Committee that has endorsed the contracts, have advised that the Model 
Contracts should be viewed as a mandatory “floor” of protections for personal data 
being exported from the EU. As a result, according to the “Article 29” Committee, 
the provisions of the Model Contract, or other contracts providing equivalent or 
greater protections, must be agreed to by any non-EU entity from a country that 
is deemed to have inadequate privacy laws. For the U.S., the provisions of the 
Model Contracts would therefore presumably apply to all U.S. firms importing per- 
sonal data from the EU over which they exercise control, other than U.S. firms that 
have actually entered the Safe Harbor. 21 

Who Would Be Covered by Model Contracts ? 

If the new EU position is adopted unhindered, sectoral coverage under the Model 
Contracts would be extremely broad, reaching most Trans-Atlantic flows of personal 
data. The EU would require the Model Contracts to be used whenever there was 


21 As set forth in footnote 18, one likely near term exception would grandfather existing con- 
tracts already approved by EU data protection authorities for the export of data. Whether or 
not these contracts could be renewed with their existing provisions if they failed to contain such 
provisions as guaranteeing data subjects the right to sue as third party beneficiaries, and joint 
and several liability, is not certain. The Article 29 Committee’s statements suggest that such 
provisions will be mandatory. However, to a considerable extent the Member States will remain 
free to determine how to use the Model Contracts as they apply the domestic laws in conformity 
with the requirements of the Directive. 
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a transfer of personal data within an international or multinational group of compa- 
nies, within a consortium of independent organizations set up to process inter- 
national transactions, between independent entities where both companies exercise 
control over the data, between providers of professional services (such as lawyers, 
accountants, financial advisers, stockbrokers, and surveyors), or for direct mar- 
keting, and insolvency and bankruptcy sales. 

Required Elements of Model Contracts. 

In the current draft of the Model Contracts, contracts entered into between Data 
Exporters and Data Importers must create an adequate level of protection for per- 
sonal data transferred to the non-EU country. The contracts must be entered into 
for the explicit “benefit of Data Subjects,” which would create a private cause of ac- 
tion for anyone who deemed themselves injured by an infringement of their data 
rights. Under the Model Contracts, the data subjects would have the explicit right 
to enforce the terms of the contracts as third party beneficiaries. In this instance, 
the data subject would be free to choose dispute resolution in the forum of his or 
her choice, including mediation, the courts of the exporting Member State, a forum 
for disputes provided by the DPA in the exporting Member State, or an arbitration 
body chosen by the data subject. Although the Model Contracts do not explicitly ad- 
dress the issue of the enforcement of contract rights outside the EU, in theory, a 
U.S. person whose data is exported from the EU to the US in alleged violation of 
a provision of a Model Contract would also be a third party beneficiary to the con- 
tract, with the right to sue under the contract in the courts of their domicile, such 
as in the U.S. 

Obligations of the Data Exporter. 

The draft Model Contracts would require all Data Exporters to warrant that: they 
have met the Directive’s obligations in collecting and processing personal data; they 
have, before any data is transferred, explicitly informed data subjects that their 
data could be transferred to a third country if the importing entity entered into a 
contract containing protective clauses provided by law for this purpose; and they 
will make the protective clauses available upon the request of any data subject. 

Obligations of the Data Importer. 

Under the proposed Model Contracts, Data Importers will essentially be required 
to meet the full obligations of EU entities in handling data. Indeed, in some respects, 
the Model Contracts go beyond the literal requirements of the Directive itself, and in 
pursuit of the ostensible goals of the Directive, would impose entirely new obligations 
on Data Importers. Among their most significant obligations, the Model Contracts 
would require Data Importers to: 

• Agree to submit all of their data processing facilities, files and documents to audit 

by the Data Exporter and the DPAs in the EU. 

• Cooperate with the DPA in any inquiries regarding data processing and abide by 

the advice of the DPA if given. 

• Process data in accordance with a body of laws approved by the EU as offering 

adequate protection, which may include, at the Data Exporter’s option, the laws 
of tbe exporting EU country, a set of newly-promulgated Mandatory Data Pro- 
tection Principles, or the laws of the country where the Data Importer is based 
if found by the EU to offer adequate protection (but only if the importer is not 
already subject to such laws). Any of these alternatives may include more strin- 
gent requirements than the Directive itself. 

• Use the data only for the purposes for which the data has been transferred. 

• Store data only as needed to carry out the purposes for which the data has been 

transferred. 

• Not retransfer the data to an entity in a jurisdiction whose laws are not deemed 

to offer adequate protection unless the data subject has opted in to such trans- 
fer in the case of sensitive data, or has been given an opt-out opportunity in 
all other cases. Alternatively, the Data Importer may put a Model Contract in 
place with its intended transferee. 

• Allow the data subject access to all data relating to him or her being processed 

in the U.S. 

• Allow the data subject the right to correct or delete data which has become inac- 

curate. 

• Allow the data subject the right to object to the processing of his or her data on 

compelling grounds based upon his or her particular situation. 

• Name a privacy officer to handle inquiries from Data Exporters and the DPAs. 
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EU Laws Would Govern Liability for U.S. Firms. 

The Model Contract process would not permit U.S. Data Importers freedom of con- 
tract with Data Exporters with respect to liability issues. Rather, it would automati- 
cally require all Data Exporters and Data Importers to agree to be held jointly liable 
for damages to data subjects resulting from any unlawful processing or act incom- 
patible with the national laws adopted pursuant to the Directive. The parties re- 
main free to provide for mutual indemnification by contract, but the risk of insol- 
vency in the Data Exporter is thus passed on to the U.S. Data Importer, leaving 
the data subject protected with the U.S. Data Importer’s assets for breaches by ei- 
ther party. Although the U.S. Data Importer may be exempt from liability if it can 
prove that the Data Exporter is solely responsible for the violation, the burden of 
proof is shifted onto the U.S. Data Importer in such cases. 

Non-EU Firm Must Agree To Abide By EU Decisions Over Privacy Violations. 

To import personal data from the EU, Data Importers from countries deemed to 
have inadequate personal data protections, would be required to abide by the data 
subject’s choice for a dispute resolution forum, in the event that the data subject 
is a party to the dispute. Permissible choices include a mediation forum, the EU 
court in the Member State where the Data Exporter is established, a body for dis- 
pute resolution provided by the DPA in the Member State where the Data Exporter 
is established, or an arbitration forum in a country which is party to the conven- 
tions on enforcement of arbitration awards. Note that the Data Importer must also 
agree in advance to abide by the decisions of the DPAs in the EU as if it were a 
party to the proceedings, even if it has not actually participated in them. 

COST AND FEASIBILITY OF COMPLIANCE UNCERTAIN. 

This summer, the EU plans to review the effectiveness of the Directive in meeting 
its goals. As it does, the EU will face the reality that compliance with the Directive 
is spotty. In some EU countries, such as Spain and the United Kingdom, DPAs have 
begun to initiate enforcement actions and require privacy violators to pay substan- 
tial fines. In other EU countries, including France and Germany, the European 
Commission is still taking legal action to force the Member State to enact required 
privacy laws. 

In the meantime, neither the European Commission nor any EU country has yet 
to conduct any published study that would provide guidance as to either how costly 
compliance might be, or whether complete compliance with the Directive is actually 
possible, either for larger firms with complex corporate structures, or for smaller 
and medium-sized enterprises that have limited resources for information manage- 
ment. On the other hand, pressed by the threat of information cut-offs, a number 
of other countries, including Argentina, Australia, 22 Canada, 23 Hong Kong, Hun- 
gary, New Zealand, and Switzerland have now passed data protection laws similar 
to those of the EU. The tension between the growing web of international data pro- 
tection laws, and the very limited history of the enforcement of these laws, creates 
an uncertain and potentially difficult business, information management, and legal 
environment for many companies who process personal data across national borders. 

IMPLICATIONS. 

The new EU Model Contracts have the potential to go well beyond the Safe Har- 
bor to impact information practices of U.S. firms. The EU’s Article 29 Committee 
has suggested that it intends to encourage the Member State’s DPAs to apply the 
Model Contracts to most international data flows involving countries that it has not 
deemed to have adequate personal data protections. Although existing contracts gov- 
erning data protection would likely be grandfathered for the near term, over time, 
the DPAs would use the Model Contracts, or their functional equivalents, to ensure 
that EU jurisdiction, choice of law, regulation, and sanctions govern all data that 
leaves Europe to such places as the U.S. This approach would deprive non-EU enti- 
ties of independent recourse in disputes, requiring them to submit to and abide by 
whatever the data subjects or DPAs decide. In short, it would subject the Data Im- 


22 See Alston & Bird LLP Electronic Commerce and International Regulatory Advisory, “For- 

eign Privacy Laws Proliferate: New Laws in Argentina and Australia Have Extraterritorial Ap- 
plication,” dated December 19, 2000, and located at: http://www.alston.com/docs/Advisories/ 
199709/Foreign Privacy Laws.pdf. 

23 See Alston & Bird LLP Electronic Commerce and Financial Services Advisory, “New Cana- 

dian Privacy Law Now in Effect; Potential Impact on U.S. Firms Obtaining Personal Informa- 
tion from Canada,” dated January 23, 2001, and located at http://www.alston.com/docs/ 
Advisories/199709/new Canadian privacy.pdf. 
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porter to the full power of the European Union’s national authorities and laws, re- 
gardless of where the Data Importer is located. 

RECOMMENDATIONS. 

Any U.S. company that receives customer or employee personal data from the EU 
should review its existing information management systems, human resources prac- 
tices, information collection practices, and information dissemination practices 
against the requirements of the Model Contracts to determine the extent to which 
existing systems and practices are in compliance. An assessment should be made 
of compliance costs for meeting the Model Contracts requirements, including the 
provisions regarding access rights for data subjects. In light of the fact that the EU 
Model Contracts have yet to be promulgated, potentially affected firms may wish to 
consider providing their views on the Model Contracts to relevant policymakers in 
both the EU and the United States. 

Mr. Stearns. Thank you. 

Professor Reidenberg? 

STATEMENT OF JOEL R. REIDENBERG 

Mr. Reidenberg. Thank you very much, Mr. Chairman, mem- 
bers. I would also like to commend you for holding today’s hearing 
to explore and understand the international dimensions of the glob- 
al information marketplace. 

As background to the hearing today, I have authored — co-au- 
thored two books related specifically to the subjects that we are 
talking about, and over the last decade have served an expert advi- 
sor both to the Congress at the Office of Technology Assessment, 
the Federal Trade Commission, and to the European Commission. 
I am here today, though, as a scholar on data protection law and 
policy. 

I prepared a written statement that I ask you to include in the 
record. 

Mr. Stearns. By unanimous consent, all of the written state- 
ments will be made part of the record. 

Mr. Reidenberg. Thank you. And would like to highlight in 
these remarks three areas from that statement. 

The first are the implications of the EU directive here in the 
United States. From the business perspective, the directive I think 
has both positive and negative trade effects. On the positive side, 
which we have not really heard about in today’s hearing, the direc- 
tive harmonizes in the EU marketplace for the 15 member states 
privacy standards, and establishes their single market for flows of 
information. 

I think that is something that is very important. That is a ben- 
efit for American businesses. It means that they operate with one 
more or less uniform set of standards as opposed to 15 radically 
different country laws. 

On the negative side, the directive will force intense scrutiny and 
limits on international data flows. This — I would disagree with the 
assessments that this is an extraterritorial application of European 
law, because I think that it is the European Union saying, “If it 
is European origin data, we want to be sure that our local privacy 
rules are not circumvented overseas.” 

For U.S. citizens, the directive I think highlights that American 
citizens are becoming second-class citizens in the privacy world, the 
global level. Why? American law has simply not kept up with the 
technology. The directive is being followed around the world. Coun- 
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tries prefer the European approach to the United States treatment 
of personal information. 

And the consequence for that is that citizens outside the United 
States will have better legal protection for their privacy in the glob- 
al marketplace than those citizens within the United States. 

The second point that I would like to highlight in my testimony 
is that the safe harbor solution to assure international data flows 
I believe is completely illusory. Safe harbor is not going to be a sat- 
isfactory way of rectifying the serious weaknesses in American law. 

The legal basis for safe harbor in the United States I think is 
very questionable. The safe harbor is predicated on Federal Trade 
Commission enforcement under Section 5 and the availability of 
legal recourse in the United States. 

And if we look at the Federal Trade Commission statutory au- 
thority, I do not believe that the Federal Trade Commission has 
the authority to protect foreign consumers under the unfair and de- 
ceptive practices jurisdiction in order to advance U.S. business in- 
terests. And, in fact, the Supreme Court has interpreted the FTC’s 
authority rather narrowly, and Congress has yet to specifically au- 
thorize the FTC to protect foreign consumers. 

The proposed recourse I think is rather meaningless. The memo- 
randum that was submitted to the European Commission and ap- 
proved as part of the package refers, for instance, to tort rights 
that are available under American law. Well, they don’t exist yet. 
We do not have cases in the United States where court have en- 
forced tort rights for data privacy cases. 

The Seal Organizations that are also touted under the safe har- 
bor — and when we look at the membership lists, I think we find 
it a who’s who of privacy scandal-plagued companies. And I think 
that is very troubling. 

If you look at the scope of safe harbor, it is extremely narrow. 
Most of e-commerce will be outside the scope of the safe harbor be- 
cause of the choice of law provisions that one finds in the directive. 
I think that we are going to see the national supervisory authori- 
ties within Europe very reluctant to follow safe harbor, and at the 
same time, as a result, increase the risk for non-safe harbor compa- 
nies that their data flows will be suspended. 

The third and last area I want to focus on are a couple of rec- 
ommendations, two in particular. The first is that I think the best 
approach for the U.S. Congress is to establish clear legal privacy 
rights in the United States. The United States is very rapidly be- 
coming a rogue country when we look at the information market- 
place and a haven for unfair treatment of personal information. I 
think that is something we have to rectify as a matter of good, do- 
mestic public policy. 

At the international level, I think that it will be particularly im- 
portant for us to push toward an international treaty to deal with 
privacy. Privacy implicates core democratic values and markets, 
market issues, and I think only a treaty will enable us to resolve 
many of the conflicts that will go — that we will see in the future. 
That I believe to be the best way to solve some of the problems we 
have on the horizon with the European Union. 

With that, I would like to conclude, and thank you very much for 
this opportunity. 
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[The prepared statement of Joel R. Reidenberg follows:] 

Prepared Statement of Joel R. Reidenberg, Professor of Law and Director 
of the Graduate Program, Fordham University School of Law 

Mr. Chairman and Members of the Committee, I would like to thank you for the 
invitation to testify and to commend you for convening this hearing on the European 
Union’s Data Privacy Directive. My name is Joel Reidenberg. I am a Professor of 
Law and the Director of the Graduate Program at Fordham University School of 
Law. As an academic, I have written and lectured extensively on data privacy issues 
and have co-authored two books related to today’s hearing. 1 I am a former chair of 
the Association of American Law School’s Section on Defamation and Privacy and 
have also served as an expert advisor on data privacy issues for the European Com- 
mission, the U.S. Federal Trade Commission and, during the 103rd and 104th U.S. 
Congresses, the Office of Technology Assessment. I appear today as a scholar on 
data privacy law and policy and do not represent the views of any organization with 
which I have had affiliations. 

My testimony will focus on four points: (1) the philosophy and content of the EU 
Data Protection Directive, (2) the implications of the European Directive for US pri- 
vacy policy, (3) the false hope of the US-EU safe harbor agreement, and (4) rec- 
ommendations for Congressional action. 2 

1. THE EU DATA PROTECTION DIRECTIVE 

a) Background and Underlying Philosophy of European Data Protection 

While there is a consensus among democratic states that information privacy is 
a critical element of civil society, the United States has, in recent years, left the 
protection of privacy to markets rather than law. In contrast, Europe treats privacy 
as a political imperative anchored in fundamental human rights. European democ- 
racies approach information privacy from the perspective of social protection. In Eu- 
ropean democracies, public liberty derives from the community of individuals and 
law is the fundamental basis to pursue norms of social and citizen protection. This 
vision of governance generally regards the state as the necessary player to frame 
the social community in which individuals develop and information practices must 
serve individual identity. Citizen autonomy, in this view, effectively depends on a 
backdrop of legal rights. Law, thus, enshrines prophylactic protection through com- 
prehensive rights and responsibilities. Indeed, citizens trust government more than 
the private sector with personal information. 

In this context, European democracies approach data protection as an element of 
public law. Since the 1970s, European countries have enacted comprehensive data 
privacy statutes. Under the European approach, cross-sectoral legislation guaran- 
tees a broad set of rights to assure the fair treatment of personal information and 
the protection of citizens. In general, European data protection laws define each citi- 
zen’s basic legal right to “information self-determination.” This European premise 
of self-determination puts the citizen in control of the collection and use of personal 
information. The approach imposes responsibilities on data processors in connection 
with the acquisition, storage, use and disclosure of personal information and, at the 
same time, accords citizens the right to consent to the processing of their personal 
information and the right to access stored personal data and have errors corrected. 
Rather than accord pre-eminence to business interests, the European approach 
seeks to strike a balance and provide for a high level of protection for citizens. 

b) Adoption of the Directive 

As data protection laws proliferated across Europe during the 1980s, there were 
significant divergences among those laws and harmonization became an important 
goal for Europe. 3 In 1995, following the Maastricht Treaty of European Union, the 
European Union adopted Directive 95 1461 EC of the European Parliament and of the 


1 Paul Schwartz and Joel R. Reidenberg, Data Privacy Law: A Study of US Data Protection 
Law and Practice (Michie: 1996); Joel R. Reidenberg and Paul M. Schwartz, Online Services and 
Data Protection and Privacy: Regulatory Responses (Eur-OP: 1998). These books were prepared 
with funding from the European Commission for DG XIII and DGXV, respectively. 

2 Parts of this testimony are based on excerpts from three articles that I have published: Re- 
solving Conflicting International Data Privacy Rules in Cyberspace, 52 STANFORD L. REV. 
1315 (2000); A Movement toward Obligatory Standards for Fair Information Practices in the 
United States, in VISIONS FOR PRIVACY IN THE 21st CENTURY, Colin Bennet & Rebecca 
Grant, eds., (Univ. of Toronto Press: 1999); Restoring Americans’ Privacy in Electronic Com- 
merce, 14 BERKELEY TECH. L. J. 771 (1999) 

3 For a discussion of divergences in Member State law related specifically to online services, 
see Reidenberg & Schwartz, supra note 1. 
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Council of 24 Oct. 1995 on the protection of individuals with regard to the processing 
of personal data and on the free movement of such data 4 [the “European Directive”] 
to harmonize the existing national laws within the European Union. The European 
Directive sought to assure that all Member States provided satisfactory privacy pro- 
tection and to assure the free flow of personal information across Europe through 
the respect of basic, standardized protections. 

Under European Union law, a “directive” creates an obligation on each Member 
State to enact national legislation implementing standards that conform to those de- 
fined in the directive. The European Directive requires that national law protect all 
information about an identified or identifiable individual whether or not the data 
is publicly available. The European Directive requires that an individual’s consent 
be obtained prior to processing personal information for purposes other than those 
contemplated by the original data collection. The European Directive allows Member 
States to further restrict the processing of defined “sensitive” data such as health 
information. 4 5 The European Directive restricts the collection and use of personal in- 
formation not relevant for the stated purpose of processing. The processing of per- 
sonal information must be transparent with notice provided to individuals for the 
treatment of their personal information. Organizations processing personal informa- 
tion must provide the data subjects with access to their personal information and 
must correct errors. The European Directive further requires that organizations 
maintain appropriate security for the processing of personal information. 

For global information networks and electronic commerce, the comprehensive ap- 
proach inevitably invokes some tension. Without the statutory authority to restrict 
transborder data flows, the balance of citizens’ rights in Europe could easily be com- 
promised by the circumvention of Europe for processing activities. Consequently, the 
European Directive includes two provisions to assure that personal information of 
European origin will be treated with European standards. A choice of law clause in 
the European Directive assures that the standards of the local state applies to ac- 
tivities within its jurisdiction and a transborder data flow provision prohibits the 
transfer of personal information to countries that do not have “adequate” privacy 
protection. 6 

In terms of enforcement, each Member State must maintain an independent, na- 
tional supervisory authority for oversight and enforcement of these privacy protec- 
tions. 7 Significantly, the European Directive also mandates that Member State law 
require any person processing personal information to notify the national super- 
visory authority and the supervisory authority must keep a public register of data 
processors. 8 

c) Implementation Issues 

The European Directive provided a transition period through October 1998 for 
Member States to transpose the standards into national law. However, as is not un- 
common in the European system, nine Member States failed to comply strictly with 
the deadline. By January 2000, the European Commission began proceedings before 
the European Court of Justice against France, Germany, Ireland, Luxembourg, and 
the Netherlands for their delays in transposition. Although each of these countries 
had strong, existing data protection statutes, the European Commission argued that 
not all of the standards contained in the European Directive were satisfactorily ad- 
dressed in the national laws. At present, proceedings before the European Court of 
Justice continue against France, Germany, and Luxembourg. 

Notwithstanding the transposition delays, the harmonization achieved by the Eu- 
ropean Directive is significant, but does not remove all divergences and ambiguities 
in the European national laws.. 9 By and large, the European Directive creates a 
strong baseline of protection across Europe. But, small divergences and ambiguity 
will inevitably exist where the principles must be interpreted by different super- 
visory agencies in each of the Member States. These remaining divergences in 
standards can pose significant obstacles for the complex information processing ar- 


4 1995 O.J. (L281) 31 (Nov. 23, 1995) 

5 For insightful discussions of the flaws in consent as a model of privacy protection, see the 
series of articles written by Paul Schwartz: Beyond Lessig’s Code for Internet Privacy: Cyber- 
space Filters, Privacy Control and Fair Information Practices, 2000 Wise. L. Rev. 743; Internet 
Privacy and the State, 33 Conn. L. Rev. 815 (2000); Privacy and Democracy in Cyberspace, 52 
Vanderbilt L. Rev. 1609 (1999) 

6 See European Directive 95/46/EC, at Art. 4 (choice of law) and Art. 25 (export prohibition). 

7 European Directive 95/46/EC, art. 28. 

8 /d, art. 18-19. 

9 For an analysis of these divergences, see Reidenberg & Schwartz, supra note 1; Peter Swire 
& Robert Litan, None Of Your Business: World Data Flows, Electronic Commerce, And The Eu- 
ropean Privacy Directive 188-196 (1998) 
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rangements typical in electronic commerce. For example, the European Directive re- 
quires that privacy rights attach to information about any “identifiable person”. 10 
Yet, the scope of this definition is not the same across the Member States; what 
some Member States consider “identifiable” others do not. 11 Similarly, the disclo- 
sures that must be made to individuals prior to data collection may still vary within 
Europe. 12 These differences can distort the ability and desirability of performing 
processing operations in various Member States since potentially conflicting require- 
ments might apply to cross-border processing of personal information. 

The effect of this challenge to comprehensive standards is, however, mitigated by 
consensus building options and extra-legal policy instruments that are available in 
the European system. The European Directive creates a “working party” of the 
Member States’ national supervisory authorities. 13 The Working Party offers a for- 
mal channel for data protection officials to consult each other and to reach con- 
sensus on critical interpretive questions. 

Compliance with the national laws has also been an issue in Europe. The notice 
and registration requirements, in particular, appear to have a spotty reception. One 
study conducted for the European Commission questioned whether data processors 
were adequately notifying their treatment of personal information to the national 
supervisory authorities 14 and a recent study by Consumers International found that 
European web sites were not routinely informing web users of their use of personal 
information. 15 Nonetheless, the existence of the national laws and the penalties do 
allow for enforcement actions to be taken in these cases of non-compliance. 

2. IMPLICATIONS FOR THE UNITED STATES 

The European Directive exerts significant pressure on U.S. information rights, 
practices and policies. The Directive facilitates a single information market place 
within Europe through a harmonized set of rules, but also forces scrutiny of US 
data privacy. In this context, the lack of legal protection for privacy in the United 
States threatens the flow of personal information from Europe to the United States. 
At the same time, the EU Directive is having an important influence on privacy pro- 
tection around the world and leaves Americans with legal protections as second 
class citizens in the global marketplace. 

a) The Harmonized European Market Place 

Despite implementation divergences, the overall harmonization effect of the Euro- 
pean Directive creates a common set of rules for the information market place in 
Europe. Companies operating within the European Union have the benefit of com- 
mon standards across the Member States rather than 15 diverse sets of conflicting 
national rules. This creates a large, level playing field for the treatment of personal 
information in Europe. With a high level of legal protection available on a cross- 
sectoral basis, Europeans do not face the same privacy obstacles for ecommerce that 
currently threaten the American experience. The culture of legal protection in Eu- 
rope provides European companies with a competitive privacy advantage doing busi- 
ness in Europe over the many American companies that are unaccustomed to apply- 
ing fair information practices to personal information. 

b) Scrutiny of US Data Privacy and European Export Prohibitions 

The European Directive requires the national supervisory authorities in each of 
the Member States and the European Commission to make comparisons between 
European data protection principles and foreign standards of fair information prac- 
tice. 16 The European Directive further requires that foreign standards of fair infor- 
mation practice be “adequate” in order to permit transfers of personal information 
to the foreign destination. 17 

For the United States, this means that both national supervisory authorities and 
the European Commission must assess the level of protection offered in the United 
States to data of European origin. Because the United States lacks directly com- 
parable, comprehensive data protection legislation, the assessment of “adequacy” is 


10 European Directive 95/46/EC, at art. 2(a). 

11 See Reidenberg & Schwartz, supra note 1, at 124-126. 

12 Reidenberg & Schwartz, supra note 1, at 133-34. 

13 European Directive 95/46/EC, art. 29. 

14 Douwe Korff (ed.), Existing case-law on compliance with data protection laws and principles 
in the Member States of the European Union, Annex to the Annual Report 1998 of the Working 
Party Established by Article 29 of Directive 95/46/EC (Eur. Comm: 1998). 

15 Consumers International, Privacy@Net: An International Comparative Study of Consumer 
Privacy on the Internet (Jan. 2001). 

16 European Directive 95/46/EC, art. 25 

17 Id. 
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necessarily complex. The European Commission and national supervisory authori- 
ties recognize that the context of information processing must be considered to make 
any determination of “adequacy.” 

Under the European Directive, the national data protection supervisory authori- 
ties and the European Commission must report to each other the non-European 
countries that do not provide adequate protection. This bifurcated assessment of for- 
eign standards means that intra-European politics can play a significant role in the 
evaluation of US data practices. While a European level decision is supposed to 
apply in each Member State, the national supervisory authorities are independent 
agencies and will still have a degree of interpretive power over any individual case. 

The end result for the United States and for American companies is that US cor- 
porate information practices are under scrutiny in Europe and under threat of dis- 
ruption when fair information processing standards are not applied to protect Euro- 
pean data. Some commentators have predicted that any European export prohibition 
might spark a trade war that Europe could lose before the new World Trade Organi- 
zation . 18 While, in theory, such a situation is possible, an adverse WTO ruling is 
unlikely . 19 

c) International Influence of the EU Directive 

Even with the difficulties of the European approach, countries elsewhere are look- 
ing at the European Directive as the basic model for information privacy, and sig- 
nificant legislative movements toward European-style data protection exist in Can- 
ada, South America, and Eastern Europe . 20 This movement can be attributed partly 
to the pressure from Europe arising from scrutiny of the adequacy of foreign privacy 
rights, but is also due in part to the conceptual appeal of a comprehensive set of 
data protection standards. In effect, Europe through the European Directive has dis- 
placed the role that the United States held since the famous Warren and Brandeis 
article 21 in setting the global privacy agenda. 

d) Second Class Privacy for US Citizens 

With the imposition by the European Directive both of harmonized European legal 
requirements for the fair treatment of personal information and of limitations on 
transborder data flows outside of Europe, U.S. companies recognize that they will 
have to respect European legal mandates. Unless American companies doing busi- 
ness in Europe chose to flout European law, US multinational businesses must pro- 
vide stringent privacy protections to data of European origin when processing that 
data in Europe or in the United States. 

Concurrently, American law and practice allows those same companies to provide 
far less protection, if any, to data about American citizens. This is a particularly 
troubling aspect of US opposition to the European Directive’s standards. American 
companies will either provide Europeans with better protection than they provide 
to Americans or they will treat Americans in accordance with the higher foreign 
standards and disadvantages those citizens doing business with local US companies. 

In effect, the proliferation of European style data protection measures around the 
world means increasingly that American citizens will be left with second class pri- 
vacy in the United States and afforded greater privacy protection against American 
companies outside US borders. 

3. THE FALSE HOPES OF THE US-EU SAFE HARBOR AGREEMENT 

In response to the risk that Europe would block data flows to the United States, 
the Department of Commerce entered into negotiations with the European Commis- 


18 See Peter Swire & Robert Litan, None Of Your Business: World Data Flows, Electronic 
Commerce, And The European Privacy Directive 188-196 (1998) 

19 See e.g. Gregory Shaffer, Globalization and Social Protection: The Impact of EU and Inter- 
national Rules in Ratcheting Up of U.S. Privacy Standards, 25 Yale J. Int’l L. 1, 50 (2000). 

20 See, e.g., Council of Europe, Chart of Signatories and Ratifications <http://www.coe.fr/ 

tablconv/108t.htm>( visited March 31, 1999) (listing countries that have ratified the treaty on 
data privacy); Industry Canada, Task Force on Electronic Commerce: The International Evo- 
lution of Data Protection (Oct. 1, 1998) (visited on March 31, 1999) <http://ecom.ic.gc.ca/english/ 
fastfacts/43dl0.htm> (justifying the Canadian proposal for a comprehensive privacy law by ref- 
erence to the European initiative); Hong Kong, Personal Data (Privacy) Ordinance, Chap. 486 
<http://www.pco.org.hk/ord/section OO.html>(Hong Kong statute following European com- 

prehensive model); Hungarian Republic, The First Three Years of the Parliamentary 
Commissioner for Data Protection and Freedom of Information 68-72 (1998)(discussing 
the influence of the European Directive for Hungarian data protection law); Pablo Palazzi, Data 
Protection Materials in Latin American Countries (Dec. 2000) (http://www.ulpiano.com/ 
DataProtection-LA-links.htm) (detailing the emergence of data protection legislation in Latin 
America.) 

21 See Samuel Warren & Louis Brandeis, The Right of Privacy, 4 Harv. L. Rev. 193 (1890) 
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sion to create a “safe harbor” agreement that would assure Europe of the adequacy 
of protection for data processed by US businesses. In the absence of statutory pro- 
tection in the United States, the concept was that the European Commission would 
endorse a voluntary code of conduct that would meet the “adequacy” standard. 
American businesses could then publicly commit to adhere to this code for the treat- 
ment of European origin data and be assured of uninterrupted data flows from Eu- 
rope. 

The lengthy and troubled negotiations on the code began in 1998 between the De- 
partment of Commerce and the European Commission. Toward the end of the nego- 
tiations, several of the particularly difficult issues were the existence of a public 
commitment for companies adhering to the code, the access rights and enforcement 
in the United States. A final set of documents including an exchange of letters, the 
Safe Harbor Privacy Principles, Frequently Asked Questions setting out interpreta- 
tive understandings of the principles, and various annexes and representations 
made to the European Commission by the Department of Commerce and the Fed- 
eral Trade Commission (collectively the “Safe Harbor”) was released in July 2000 22 
and approved by the European Commission. 23 

While the approval was an important short-term political victory for both the US 
and the European Commission, the safe harbor agreement is unworkable for both 
sides and will not alleviate the issues of weak American privacy protection. 

a) The Political Dimension 

For the European side, the United States posed a major problem. American law 
did not provide comparable protections to European standards and fair information 
practices in the United States were rather spotty. Yet, European regulators did not 
want to cause a disruption in international data flows. The prospect of change in 
US law seemed remote and the European Commission would have serious political 
difficulty insisting on an enforcement action against data processing in the United 
States prior to the full implementation of the European Directive within the Euro- 
pean Union. Similarly, an aggressive enforcement strategy by a national supervisory 
authority while transposition remained incomplete could have hampered the na- 
tional legislative debates on transposition. The Safe Harbor offered a mechanism to 
delay facing tough decisions about international privacy and, in the meantime, hope- 
fully advance US privacy protections for European data. 

On the US side, the Department of Commerce faced strong pressure from the 
American business community to block the European Directive. The United States 
was not prepared to respond to the Directive with new privacy rights and the 
United States wanted to prevent interruptions in transborder data flows. The Safe 
Harbor became a mechanism to avoid a showdown judgment on the status of Amer- 
ican law and defer action against any American companies. 

As such, the acceptance in July 2000 of the Safe Harbor by the European Union 
was a transitory political success. 

b) The Dubious Legality of Safe Harbor 

In the United States, however, the Safe Harbor faces a serious jurisdictional ob- 
stacle to its enforcement — one of the key European criteria for acceptance. The De- 
partment of Commerce issued the Safe Harbor documents “to foster, promote, and 
develop international commerce.” 24 The agreement is predicated on the enforcement 
powers of the Federal Trade Commission under Section 5 of the Federal Trade Com- 
mission Act. 25 Indeed, as part of the negotiations, the Federal Trade Commission 
represented to the European Commission that it “will give priority to referrals of 
non-compliance with safe harbor principles from EU member states.” 26 Yet, the un- 
derlying legal authority of the FTC to enforce the Safe Harbor is questionable. 

As originally enacted by the Federal Trade Commission Act in 1914, Section 5 ap- 
plied only to unfair methods of competition. 27 Jurisdiction over any “unfair or decep- 
tive act or practice” was extended to the FTC by the Wheeler-Lea Act of 1938. 28 The 
stated Congressional purpose was to enable the FTC to “restrain unfair and decep- 


22 Dept, of Commerce, Int’l Trade Adm, Notice: Issuance of Safe Harbor Principles and Trans- 
mission to European Commission, 65 Fed. Reg. 45665-45686 (July 24, 2000) 

23 Commission Decision of 26 July 2000, Eur. Comm. Doc. 00/520/EC, O.J. L 215 (25/8/2000) 

24 Letter, dated July 21, 2000, from Robert S. LaRussa, Acting Under Secretary for Inter- 
national Trade Administration, U.S. Department of Commerce to John Mogg, Director, DGXV, 
European Commission <http://www.export.gov/safeharbor/USLETTERFINALl.htm> 

25 15 U.S.C. § 45(a) 

26 Letter, dated July 14, 2000, from Robert Pitofsky, Chairman, Federal Trade Commission to 
John Mogg, Director, DGXV, European Commission. 

27 15 U.S.C. 45 

28 Ch. 49, 52 Stat. Ill (Mar. 21, 1938) 
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tive acts and practices which deceive and defraud the public generally.” 29 Indeed, 
contrary to the purpose of the Safe Harbor that protects US business interests in 
international trade, the Wheeler-Lea Act amendments sought to protect the general 
public from unscrupulous business practices. In fact, at the time of the enactment, 
the FTC’s jurisdiction expressly excluded foreign commerce not to mention the pro- 
tection of foreign consumers as envisioned by Safe Harbor. 

While the McGuire Resale Price Maintenance Act of 1952 30 expanded FTC juris- 
diction into foreign commerce with respect to monopolistic pricing, the U.S. Supreme 
Court had specifically held that only Congressional amendments could expand the 
scope of the FTC’s authority under Section 5. 31 In Bunte Bros. v. FTC, the Commis- 
sion unsuccessfully sought an expansion of its interstate commerce authority in the 
context of anti-trust enforcement. 32 Congress eventually responded with the Magnu- 
son-Moss Warranty — Federal Trade Commission Improvement Act of 197 5 33 that 
was, according to the Senate Conference Report, designed “to improve Tthe FTC’s] 
consumer protection activities.” 34 The 1975 amendments extended the jurisdiction 
to acts and practices “in or affecting commerce,” but at no time contemplated pro- 
tecting American business interests or foreign consumers. 

Hence, the assertion by the Department of Commerce and the FTC that the Safe 
Harbor comes within the Section 5 jurisdiction is a radical departure from the stat- 
ed legislative purposes of the statute and in direct opposition to the Supreme 
Court’s restrictive interpretation of Section 5 authority. 

Within Europe, the legality of Safe Harbor is also open to question. Under the 
European Directive, “adequacy” must be assesed in light of the prevailing “rules of 
law, both general and sectoral, in force in the third country in question and the pro- 
fessional rules and security measures which are complied with in that country.” 35 
However, the Safe Harbor was not yet in existence at the time of the approval by 
the European Commission. The European Parliament specifically noted this problem 
shortly before the approval by the European Commission. 36 Similarly, according to 
the European Directive, the European Commission only has authority to enter into 
negotiations to remedy the absence of “adequate” protection after a formal finding 
that the non-European country fails to provide “adequate” protection. 37 Yet, in the 
context of the Safe Harbor negotiations, the European Commission never made a 
formal finding. 38 These would appear to be significant administrative law defects. 
Although the European Commission maintains that the European Parliament did 
not say that the Commission acted outside its powers and the Member States voted 
unanimously in the political committee to accept the Safe Harbor, 39 this administra- 
tive process problem remains an open question that only the European Court of Jus- 
tice can resolve and gives the independent national supervisory authorities grounds 
to vitiate Safe Harbor through strict interpretations of the European Commission’s 
ruling. 

In addition, the European Parliament pointed out: 

“the risk that the exchange of letters between the Commission and the US De- 
partment of Commerce on the implementation of the ’safe harbour’ principles 
could be interpreted by the European and/or United States judicial authorities 
as having the substance of an international agreement adopted in breach of Ar- 
ticle 300 of the Treaty establishing the European Community and the require- 
ment to seek Parliament’s assent (Judgment of the Court of Justice of 9 August 
1994: French Republic v. the Commission — Agreement between the Commission 


29 S. 1077: Report of the Senate Committee on Interstate Commerce, S. Rep. No. 221, 75th 
Cong., 1st Sess. (March 19, 1937). 

39 Ch. 745, 66 Stat. 632 (July 14, 1952) 

31 Bunte Bros. v. F.T.C., 312 U.S. 349 (1941). 

32 Id. 

33 Pub. L. 93-637, 88 Stat. 2193, §201, 15 U.S.C. §45 (1970 ed., Supp. IV) 
34 Magnuson-Moss-Warranty-Federal Trade Commission Improvement Act, Pub. L. No. 93-637, 

Senate Conf. Report No. 93-1408 (Dec. 18, 1974) 

35 European Directive 95/46/EC, art. 25(2) 

36 European Parliament Resolution A5-0 177/2000 on the Draft Commission Decision on the 
adequacy of the protection provided by the Safe Harbour Privacy Principles and related Fre- 
quently Asked Questions issued by the US Department of Commerce (C5-0280/2000-2000/ 
2144(COS)) (July 5, 2000) 

37 European Directive 95/46/EC, art. 25(5). 

38 The procedure for a formal finding is established in European Directive 95/46/EC, art. 25(4). 

39 See Eur. Comm. Press Release: Frits Bolkestein tells Parliament Committee he intends to 

formally approve “safe harbor” arrangement with US on data protection, July 13, 2000 <http:/ 
/europa.eu.int/comm/intemal market/en/media/dataprot/news/harbor5.htm> 
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and the United States regarding the application of their competition laws (Case 
C-327/91))” 40 

b) The Limited Applicability 

Notwithstanding the validity in either legal system, the scope of the Safe Harbor 
is very narrow. First, Safe Harbor by its terms can only apply to activities and U.S. 
organizations that fall within the regulatory jurisdiction of the FTC and the Depart- 
ment of Transportation. As a result, many companies and sectors will be ineligible 
for Safe Harbor including particularly the banking, telecommunications and employ- 
ment sectors that are expressly excluded from the FTC’s jurisdiction. 41 Second, the 
Safe Harbor will not apply to most organizations collecting data directly in Europe. 
Article 4 of the European Directive provides that if a data controller is located out- 
side of the European Union, but uses equipment within the European Union, the 
law of the place where the equipment is located will be applicable. This provision 
establishes a choice of law rule that greatly reduces the availability of the Safe Har- 
bor to international business. This provision of the Directive is especially significant 
in the context of web based businesses where interactive computing means that a 
European user will always make use of computing resources at the user’s location. 
The courts of Member States, such as France, have shown in other areas a clear 
willingness to apply the substantive law of the place where an Internet user is lo- 
cated. 42 Hence, in many cases, particularly in the context of ecommerce, the sub- 
stantive law of a Member State will apply rather than the Safe Harbor. 

c) Increased Risk to Non-Safe Harbor Transfers 

By implication, the Safe Harbor raises the risks for data transfers by companies 
that do not subscribe to the code. The approval by the European Commission of Safe 
Harbor as an “adequate” basis to transfer personal information to the United States 
implicitly acknowledges that transfers outside the scope of the Safe Harbor will not 
be adequately protected. Consequently, non-Safe Harbor transfers must be covered 
by one of the other exceptions to the transborder data flow rules, such as a transfer 
pursuant to a contractual arrangement. 43 

Ironically, Safe Harbor simplifies the task for national supervisory authorities to 
block data flows to the United States. The national agencies will readily be able to 
identify those US companies that do not subscribe to Safe Harbor and have not pre- 
sented a data protection contract for approval under the European Directive’s Arti- 
cle 26 exceptions. In such cases, the presumption must be that the protection is “in- 
adequate” and the data flow must, under European law, be prohibited. 

For the United States, the Safe Harbor approach might, thus, compromise many 
US businesses in a way that a legislative solution would not. 

d) Weakening of European Standards and Illusory Enforcement Mechanisms 

For the national supervisory authorities in Europe, the Safe Harbor poses a weak- 
ening of European standards. 44 In particular, the permissible derogations from Safe 
Harbor without a loss of coverage are significant. The Safe Harbor exempts public 
record information despite its ordinary protection under European law. Similarly, 
the Safe Harbor exempts any processing pursuant to any “conflicting obligation” or 
“explicit authorization” in US law whether or not such processing would be permis- 
sible under European standards. The access standard set out in the Safe Harbor 
and FAQs also includes derogations that do not exist in European law. 

Most importantly, however, the Safe Harbor weakens European standards for re- 
dress of data privacy violations. Under the European Directive, victims must be able 
to seek legal recourse and have a damage remedy. 45 The Department of Commerce 
assured the European Commission that Safe Harbor and the US legal system pro- 
vided remedies for individual European victims of Safe Harbor violations. The Euro- 
pean Commission expressly relied on representations made by the Department of 
Commerce concerning available damages in American law. 46 The memorandum pre- 
sented by the Department of Commerce to the European Commission, however, 


40 European Parliament Resolution A5-0177/2000 on the Draft Commission Decision on the 
adequacy of the protection provided by the Safe Harbour Privacy Principles and related Fre- 
quently Asked Questions issued by the US Department of Commerce (C5-0280/2000-2000/ 
2144(COS)) (July 5, 2000), §E(2). 

“il5 U.S.C. § 45(a)(2) 

42 See e.g. UEJF c. Yahoo!, TGI de Paris, Ord. en refere du 22 nov. 2000. 

43 European Directive 95/46/EC, art. 26. 

44 See Working Party: Opinion 4/2000 on the level of protection provided by the "Safe Harbor 
Principles”, Opinion 4/2000, Eur. Comm. Doc. DG MARKT CA07/434/00 WP 32 (16 May 2000) 

45 European Directive 95/46/EC, art. 22-23 

46 Commission Decision of 26 July 2000, Eur. Comm. Doc. 00/520/EC, O.J. L 215 (25/8/2000), 
Art. 1(b) 
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made misleading statements of US law. 47 For example, the memorandum provides 
a lengthy discussion of the privacy torts and indicates that the torts would be avail- 
able. The memorandum failed to note that the applicability of these tort actions to 
data processing and information privacy has never been established by US courts 
and is, at present, purely theoretical. Indeed, the memorandum cites the tort for 
misappropriation of a name or likeness as a viable damage remedy, yet all three 
of the state courts that have addressed this tort in the context of data privacy have 
rejected it. 48 The Safe Harbor is also predicated on dispute resolution through seal 
organizations such as Truste. Yet, only one seal organization, the Entertainment 
Software Rating Board, proposes any direct remedy to the victim of a breach of a 
privacy policy and other organizations’ membership lists look like a “Who’s Who” of 
privacy scandal plagued companies. 

Lastly, the enforcement provisions of the Safe Harbor rely on the FTC. Even if 
the FTC has jurisdiction to enforce the Safe Harbor, the assertion that the FTC will 
give priority to European enforcement actions is hard to believe. First, although the 
FTC has become active in privacy issues recently, the agency’s record enforcing the 
Fair Credit Reporting Act, one of the country’s most important fair information 
practices statutes, is less than aggressive. Second, were the FTC to devote its lim- 
ited resources to the protection of Europeans’ privacy, Americans should and will 
be offended that a US government agency charged with protecting American con- 
sumers has chosen to commit its energies and US taxpayer money to the protection 
of European privacy in the United States against US businesses at a higher level 
than the FTC asserts for the protection of Americans’ privacy. 

Sadly, though, for many American companies, even these weakened European 
standards impose substantially greater obligations than US law. In particular, the 
notice, choice, access and correction requirements are only sporadically found in US 
law. As a result, pitifully few American companies have subscribed to Safe Harbor; 
indeed, as of March 7, 2000 fewer than 30 companies have signed up. 49 

The upshot of these sui generis standards, unenthusiastic reception and enforce- 
ment weaknesses is a likelihood that the national supervisory agencies will be dis- 
satisfied with the Safe Harbor and that the Member States will face great political 
pressure to suspend the Safe Harbor once transposition is completed. 

4. RECOMMENDATIONS 

The United States is rapidly on the path to becoming the world’s leading privacy 
rogue nation. Just a cursory examination of the data scandals over the last year and 
consumer privacy concerns for ecommerce suggest that our national policy of self- 
regulation will not work to assure public confidence and trust in the treatment of 
personal information, cannot work to guarantee citizens their political right to free- 
dom of association and privacy, and will leave American businesses at a competitive 
disadvantage in the global information market place. At a time when Internet 
growth rates are greater outside the United States and non-US web content is be- 
coming an absolute majority of available Internet content, United States interests 
are ill-served by avoiding the creation of clear legal privacy rights. 

Congress needs to act to establish a basic set of legal protections for privacy in 
the United States. Any such regulation must recognize that technologies will be es- 
sential to assure privacy protections in the global environment across divergent sets 
of rules. In fact, technical decisions are not policy neutral. Technical decisions make 
privacy rules and, more often than not, these rules in the United States are privacy 
invasive. For technology to provide effective privacy protection, three conditions 
must be met: (a) technology respecting fair information practices must exist; (b) 
these technologies must be deployed; and (c) the implementation of these tech- 
nologies must have a privacy protecting default configuration. Legal rights in the 
United States should provide an incentive structure that encourages these develop- 
ments. 

In conjunction with the establishment of a legal baseline in the United States, 
Congress should promote the negotiation of a “General Agreement on Information 
Privacy” within the World Trade Organization framework. 50 Whether desired or not 
by various interest groups and countries, the WTO will be unable to avoid con- 


47 U.S. Dept, of Commerce, Damages for Breaches of Privacy, Legal Authorizations and Merg- 
ers and Takeovers in U.S. Law (July 14, 2000) 

48 See Shibley v. Time 45 Ohio App. 2d 69 (1975); Dwyer v. American Express 273 111. App. 
3d 742 (1995); Avrahami v. U.S. News & World Report, 1996 Va. Cir. LEXIS 518 (1996). 

49 U.S. Dept, of Commerce, Safe Harbor List, http://web.ita.doc.gov/safeharbor/shlist.nsf7 
webPages/safe+harbor+list (reflecting only 27 certifications) 

50 See Joel R. Reidenberg, Resolving Conflicting International Privacy Rules in Cyberspace, 52 
Stanford L. Rev. 1315, 1359-1362 (2000) 



76 


fronting international privacy issues as a result of the biennial ministerial con- 
ferences and the inevitable trade-in-services agenda. Many of the core differences 
among nations on the implementation of privacy principles touch upon fundamental 
governance and sovereignty questions. These types of problems will only be resolved 
at an international treaty level like the WTO. 

Mr. Stearns. Thank you. 

Ms. Lawler, your opening statement, please? Thank you. 

STATEMENT OF BARBARA LAWLER 

Ms. Lawler. Yes. Thank you, and thank you for having me here 
today. Mr. Chairman, members of the subcommittee, thank you for 
the invitation to appear today to discuss the EU Data Protection 
Directive. 

My name is Barbara Lawler, and as Customer Privacy Manager 
for Hewlett Packard I have global responsibility for HP privacy pol- 
icy management, implementation, compliance, education, and com- 
munication, in both the online and offline worlds. 

As you, Mr. Chairman, stated in calling for this hearing, the Eu- 
ropean privacy directive has implications for how we in the United 
States conduct and address our domestic privacy issues. I am 
pleased, therefore, to have this opportunity to talk about HP’s par- 
ticipation in the safe harbor agreement, which provides legal pro- 
tection and a framework for allowing the safe transfer of personal 
information from the EU countries to the U.S. 

I am pleased to say that HP is the first major technology com- 
pany to join the safe harbor. But, first, let me start by giving you 
an overall picture of how we manage privacy at Hewlett Packard. 

HP applies a universal, global privacy policy built on the fair in- 
formation practices. Notice, choice, accuracy and access, security 
and oversight. Whether in English, French, or Spanish, the core 
commitments are the same with very minimal localization required 
to reflect local country laws. 

Key elements of our policy include no selling of customer data, 
no sharing of data outside HP without permission, customer access 
to core contact data, and a customer feedback mechanism. The pol- 
icy can be viewed in online form in the lower left-hand corner of 
every HP.com web page. 

The guiding principles that we operate under for managing pri- 
vacy are customers control their personal information. We give 
choices that enhance trust, and, therefore, enhance our business. 
We put the customer in the lead to determine their relationship 
with HP and to have the highest integrity and practices, responses, 
and partners. 

A sample of some of our current global efforts in privacy manage- 
ment include moving to opt-in for marketing content, especially e- 
mail, company-wide training on new privacy standards, new appli- 
cation development and business rules for company-wide multiple 
customer data base consolidation, and platform for privacy pref- 
erences implementation for our most active websites. 

I want to underscore some important distinctions around the opt- 
in discussion and hopefully add some clarity. As I mentioned, it is 
HP policy never to sell or lease our customer data. We have many 
business relationships with other companies, companies that act as 
suppliers and service providers. Those companies are required 
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under contract and through non-disclosure agreements to abide by 
our privacy policy. 

A different class of business relationships are our strategic part- 
ners and co-marketing partnerships. As stated earlier, it has al- 
ways been HP policy that there is no sharing of customer data out- 
side HP without permission from the customer. This is an opt-in 
policy for data-sharing with third parties. 

Applying the opt-in standard for marketing contact with HP is 
another order of magnitude more difficult, and let me tell you why. 
We are committed, because this is absolutely the right thing to do 
for our customers. What it requires us to do is to evaluate all cus- 
tomer data bases, our customer privacy data choice elements, the 
data itself, reengineer those data structures, the systems, and all 
of the associated business processes, change the format of the pri- 
vacy question we ask our customers, and then develop implementa- 
tion guides and tools and communicate that new standard HP- 
wide. 

Some of the challenges we are facing is managing conflicting cus- 
tomer choices and a large volume of unknown privacy data choice. 

We do conduct a substantial amount of cross-border commercial 
and consumer business activity between the U.S. and EU, which 
require direct communications between EU country-based HP of- 
fices, independent suppliers and customers, and involves the move- 
ment of personal information on a regular basis. 

In order to have HP’s European offices come into compliance 
with the EU privacy directive, a multi-country assessment of data 
collection use, storage, and movement was conducted out of which 
we identified compliance matches and gaps. Some of our current 
HP specific efforts in Europe include consolidating our customer e- 
mail response process and customizing privacy implementation 
guides for marketing by country. 

On January 29 of this year, HP became the first high-tech com- 
pany to certify under the safe harbor. This demonstrates our con- 
tinued leadership to strong privacy practices in the U.S., and we 
believe it is important because it offers consistency and continuity 
for business operations connected between HP sites located in the 
U.S. and the EU — critical for a global enterprise. 

We believe that consumer confidence will be enhanced by ensur- 
ing privacy rights on and offline in a global commerce environment 
through the safe harbor. E-commerce will grow faster if consumer 
confidence is reinformed by company efforts to ensure consumers 
have an effective recourse for privacy complaints through agree- 
ments like safe harbor. 

Our privacy policy has always been consistent with the safe har- 
bor principles, and we found it consistent with our long-term mem- 
bership with the BBB Online Privacy Seal Program. We view safe 
harbor compliance as really the ultimate self-regulatory approach 
and the next logical commitment in our step to privacy. 

And, finally, let me put this into perspective with the larger 
transborder privacy issue and consumer confidence in the global 
marketplace, because we know consumers not only are concerned 
about their privacy but they are also concerned about whether 
their credit cards are safe online, and if they order a blue vase 
from a website in Paris that they will get what they ordered. 
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HP is working with 70 businesses from around the world through 
the global business dialog for electronic commerce to develop world- 
wide consensus on standards for consumer redress systems and 
ADR. Current concerns about consumer confidence must not be al- 
lowed to turn into barriers for empowering consumers 

Mr. Stearns. Ms. Lawler, we need you just to sum up, if you 
would. 

Ms. Lawler. I am. HP believes that the safe harbor agreement 
is a significant step in the right direction, and we welcome the op- 
portunity to work with this subcommittee in the development of 
national policies governing the collection and use of personal infor- 
mation. 

[The prepared statement of Barbara Lawler follows:] 

Prepared Statement of Barbara Lawler, Manager, Customer Privacy, 
Hewlett-Packard Company 

Mr. Chairman, Members of the Subcommittee thank you for the invitation to ap- 
pear today to discuss the EU Data Protection Directive. 

My name is Barbara Lawler, and as HP Customer Privacy Manager, I have global 
responsibility for Hewlett Packard privacy policy management, implementation, 
compliance, education and communication, in both the online and offline worlds. 

By way of background, HP is a leading provider of computing and imaging solu- 
tions and services. As a company we are focused on making technology and its bene- 
fits accessible to individuals and businesses through networked appliances, bene- 
ficial e-services and an “always on” Internet infrastructure. HP has 88,500 employ- 
ees worldwide and a total revenue of $48.8 billion in its 2000 fiscal year. 

As you Mr. Chairman, stated in calling this hearing, the European Privacy Direc- 
tive has implications for how we in the United States will address our domestic pri- 
vacy issues. I am pleased therefore, to have this opportunity to discuss Hewlett- 
Packard’s participation in the “safe harbor” agreement . The safe harbor provides 
legal protection and a framework allowing for the safe transfer of personal informa- 
tion from European Union countries to the United States. I am pleased to say that 
HP is the first major technology company to join the safe harbor. 

As a high-tech company that sells to the consumer market, we take the privacy 
issue very seriously. HP believes that self-regulation and credible third-party en- 
forcement “such as the Better Business Bureau privacy seal program — is the single 
most important step that businesses can take to ensure that consumers” privacy will 
be respected and protected online. We also believe that there should be a “floor” of 
uniform consumer protections which all companies must adhere to; based upon clear 
and conspicuous disclosure of privacy policies. HP testified last Congress in favor 
of the McCain/Kerry privacy bill (S. 2928) which we think meets the test of reason- 
able, practicable privacy protections. And, as I will discuss further, with our own 
websites, we are moving as quickly as we can, wherever possible, to an “opt-in” en- 
vironment. 

Managing Privacy at Hewlett Packard 

Let me start by giving you an overall picture of how we manage privacy at Hew- 
lett Packard. HP applies a universal, global privacy policy built on the fair informa- 
tion practices: notice, choice, accuracy & access, security and oversight. Whether in 
English, French or Spanish, the core commitments are the same, with minimal lo- 
calization required to reflect local country laws. Key elements of the policy include 
no selling of customer data, no sharing of customer data outside HP without permis- 
sion, customer access to core contact data and a customer feedback mechanism. 

The policy can be viewed in online form at the lower left-hand corner of every 
hp.com web page: http://www.welcome.hp.com/country/us/eng/privacy.htm 

The guiding principles for managing privacy in HP are: 

• customers control their own personal data 

• give choices that enhance trust and therefore enhance the business 

• put the customer in the lead to determine their relationship with HP 

• have the highest integrity in practices, responses and partners 

HP people apply the privacy policy to marketing, support, e-services and product 
generation using a set of HP-developed tools called the “Privacy Rulebook” and the 
“Web Site Data and Privacy Practices Self-Assessment Tool”. 

A sample of current HP global privacy initiatives include: 
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• moving to opt-in for marketing contact, especially e-mail 

• company-wide training on new privacy standards 

• new application development and business rules for company-wide multiple cus- 

tomer database consolidation 

• Platform for Privacy Preferences (P3P) implementation for our most active web 

sites 

I want to underscore some important distinctions around the “opt-in” discussion 
and add some clarity. It’s HP policy to never sell or lease our customer data. HP 
has many business relationships with other companies. Companies that act as serv- 
ice providers or suppliers are required under contract and through a Confidential 
Non-Disclosure Agreement to abide by HP’s privacy policy. 

A different class of business relationships is HP’s strategic partnerships and co- 
marketing partners. As stated earlier, it’s always been HP policy that there is no 
sharing of customer data outside HP without permission from the customer. This 
is an opt-in policy for data sharing with third parties. 

Applying the opt-in standard for marketing contact within HP is an order of mag- 
nitude more difficult, but we’re committed because it’s the right thing to do for our 
customers. Implementing opt-in for marketing contact requires us to evaluate all 
customer databases and customer privacy choice data elements, re-engineer the data 
structures, systems and associated processes, change the privacy question format 
itself, develop implementation guides and tools, and communicate the new standard 
hp-wide. Some of the challenges we face are in the areas of managing a program- 
specific customer privacy choice with a “top-down” HP request and resolving a large 
volume of “unknown” privacy choice data. 

Managing the EU directive in an intra-European environment 

In addition to the core universal HP privacy practices already described, HP has 
developed specific standards, practices and tools to operate within the framework 
of the European Data Protection Directive in our European country organizations. 
These were developed out of a cross-functional HP task force with representatives 
from Customer Information, Human Resources, Privacy Management, Legal, Risk 
Management, Information Technology and Workers Council delegates. 

HP conducts a substantial amount of cross-border commercial and consumer busi- 
ness activity between the US and EU countries. This requires direct communica- 
tions with EU country-based HP offices, independent suppliers and customers, and 
involves the receipt and sharing of personal information from them on a regular 
basis. In order to have HP’s European offices to come into compliance with the EU 
privacy directive, a multi-country assessment of data collection, use, storage, and 
movement was conducted, out of which were identified compliance matches and 
gaps. Industry benchmarking was conducted concurrently. From there specific ac- 
tion plans were developed and the following deliverables completed: 

• IT/Application Data Privacy Sensitivity and Development Checklist 

• Confidential Non-disclosure agreement for contracts with suppliers 

• Personal Data(base) Access Standards for employees 

• Data Protection Clause — Individual Undertaking Agreement for employees 

• Data Protection Officer for HP Germany 

• Data Protection Officer — HP European Region (in process) 

• Customer Privacy Manager — HP European Region (in process) 

• Establishment of European Region Privacy Council (pending) 

Current HP European-specific efforts include consolidating the customer email re- 
sponse process for privacy questions and customized privacy implementation guides 
for marketing programs by country. 

Managing the EU directive requirements in the US (Safe Harbor) 

On January 29th, 2001, HP became the first high-tech company to certify with 
the U.S. Department of Commerce for Safe Harbor. This demonstrates our contin- 
ued leadership to strong privacy practices in the U.S. The Safe Harbor framework 
offers consistency and continuity for business operations conducted between HP 
sites located in the United States and the European Union, critical for a global en- 
terprise. HP has certified data collected by online, offline and manually processed 
methods. HP conducts a substantial amount of cross-border commercial and con- 
sumer business activity with direct involvement of EU country-based HP offices and 
independent suppliers. 

We believe that consumer confidence will be enhanced by ensuring customer pri- 
vacy rights on- and off-line in a global commerce environment. E-commerce will 
grow faster if consumer confidence is reinforced by company efforts to ensure con- 
sumers have an effective recourse for privacy complaints through agreements like 
the Safe Harbor. 
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The practices described in the HP privacy policy have long been consistent with 
the Safe Harbor principles. As a member of the Safe Harbor compliant BBBOnLine 
Privacy Seal program for the last 16 months, we were pleased to see close alignment 
between our existing privacy policy and the Safe Harbor Principles. The verification 
requirements mapped well to existing internal HP privacy standards and practices. 

HP views Safe Harbor compliance as a self-regulatory bridge to different ap- 
proaches to data privacy between the United States and European Union; it’s the 
ultimate “self-regulatory” approach. Joining the Safe Harbor is the next logical step 
in our commitment to privacy protection. 

Finally, I would like to put the trans-border privacy issue into the larger perspec- 
tive of consumer confidence in the global electronic marketplace. While consumers 
are concerned about their privacy online, they are also concerned about whether 
their credit cards are safe online, and whether if they order a blue vase from a 
website in Paris or Tokyo, they will get what they order in the quality and condition 
they expected. In order for online businesses to truly earn the trust of consumers, 
we need to expand ongoing efforts to ensure that the global electronic marketplace 
a clean, well-lighted venue for both consumers and businesses. For example, con- 
sumers need to have confidence that when they do business across national borders, 
that there will be a redress system in place should anything go wrong with the 
transaction. 

HP is working with 70+ businesses from around the world through the Global 
Business Dialogue for electronic commerce to develop worldwide consensus stand- 
ards on consumer redress systems, of ADR. In this effort, we are working with con- 
sumer groups and the FTC and the European Commission to ensure that consumers 
and businesses will quickly, fairly and efficiently resolve complaints related to on- 
line transactions. 

Current concerns about consumer confidence must not be allowed to turn into bar- 
riers to empowering consumers through global e-commerce. Hewlett-Packard be- 
lieves that the safe harbor agreement is a significant step in the right direction, and 
we welcome the opportunity to work with this subcommittee in the development of 
national policies governing the collection and use of personal information. 

Mr. Stearns. Thank you. 

Mr. Henry, your opening statement? 

STATEMENT OF DENIS E. HENRY 

Mr. Henry. Thank you, Mr. Chairman, for this invitation. 

As you mentioned, I am with Bell Canada, so let me begin by 
telling you who we are. Bell Canada and its affiliates have a wide 
variety of consumer-facing business activities, and as a result we 
have been keenly interested in the privacy issue for many years. 

We are the largest telecommunications carrier and internet serv- 
ice provider in Canada, and in keeping with the convergence trend 
we also have a number of investments on the content side of the 
business, including an internet portal, broadcast television, direct- 
to-home satellite 

Mr. Stearns. Mr. Henry, we would ask you just to move your 
microphone just a shade up there. 

Mr. Henry. Certainly. 

Mr. Stearns. That is good. 

Mr. Henry. Direct-to-home satellite, and, most recently, a na- 
tional newspaper we have added to the portfolio. 

Now, let me turn now to Canada’s approach to privacy and our 
response to it. With the advent of new technologies, a number of 
options to address the concern about protecting personal informa- 
tion have been debated in various circles around the world. And I 
would characterize the Canadian approach as lying somewhere in 
the middle of the spectrum of options. 

It is not a detailed and prescriptive regulatory regime. On the 
other hand, it is not an approach that relies primarily on market 
forces. 
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Back in 1996, in response to rising concerns about privacy, the 
Canadian Standards Association released its model code for the 
protection of personal information, which we call the CSA Code, as 
a voluntary national standard. The CSA Code was based on the 
OECD privacy guidelines and was the product of a consensus -build- 
ing process involving government, consumers, and key industry 
sectors. 

However, following development of the CSA Code, consumer con- 
cerns about privacy persisted. Faced with this environment, the 
government of Canada undertook broad public consultations to ex- 
plore the possibility of a legislative approach. These discussions re- 
vealed broad support for a self-regulatory approach but assisted by 
framework legislation that would encourage industry groups to de- 
velop sectoral codes based on the CSA Code. 

And this ultimately led the Canadian government to enact Fed- 
eral privacy legislation last year, which is to come into effect or 
came into effect January 1st of this year. Its objective has been to 
establish harmonized national rules across the country based on a 
light-handed and flexible legislative framework. 

The Act is also intended to meet the adequate data protection re- 
quirements of the EU Data Protection Directive. 

This new piece of Federal privacy legislation requires all organi- 
zations that collect, use, or disclose personal information to comply 
with the CSA Code which is appended to the Act, and the Act re- 
flects a flexible approach that does not prescribe particular treat- 
ment of personal information, but, rather, organizations can de- 
velop codes and practices tailored to their particular business cir- 
cumstances. 

The legislation also requires commercial organizations to identify 
the purposes for which personal information will be collected, used, 
and disclosed, and to obtain consent of individuals. Consent can be 
either express or implied, depending on the circumstances and de- 
pending on the sensitivity of the information, and, again, reflecting 
a flexible approach. 

The Act also establishes a Federal privacy commissioner as its 
prime overseer. This commissioner has broad powers to receive and 
investigate complaints and to conduct audits of company practices. 
Unresolved disputes can be taken before the Federal court of Can- 
ada for a hearing and enforcement, including the possibility of 
damages. 

Recently, the Bell companies released the Bell Code of Fair Infor- 
mation Practices, in compliance with the CSA Code and the new 
legislation. And in order to implement this code, the companies 
have embarked on a plan that incorporates a number of elements. 

First of all, procedures were put in place to ensure that cus- 
tomers and employees are able to review and correct company 
records that contain their personal information. Customer are also 
able to challenge the company’s compliance with the code through 
the Bell privacy ombudsman. 

Second, companies have implemented a communications plan to 
inform customers of the privacy policies using, for example, a num- 
ber of means, telephone directories, web pages, bill inserts, point 
of sale brochures, and so on. The companies are also undertaking 
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an extensive training program to ensure that employees under- 
stand and uphold our privacy commitments. 

The companies have also undertaken a comprehensive review of 
their information systems to ensure that the provisions of the code 
will be respected. And, finally, regular internal audits will be em- 
ployed to ensure ongoing compliance. 

The Bell companies and many other industry sectors in Canada 
have supported the Canadian government’s steps in pursuing a 
new model for the protection of personal information, a model that 
builds on the voluntary efforts of consumer groups, industry, and 
governments. 

We recognize that protecting customers’ privacy makes good busi- 
ness sense. But at the same time, this objective must be balanced 
against the legitimate need to use customer information for busi- 
ness purposes and to avoid overly costly and burdensome regula- 
tion. 

By enacting a flexible legislative framework, the Canadian pri- 
vacy approach has attempted to strike an appropriate balance. 

I hope these comments, Mr. Chairman, have shed some light on 
our unique approach to privacy, and I would be happy to answer 
any questions. 

[The prepared statement of Denis E. Henry follows:] 

Prepared Statement of Denis E. Henry, Vice President, Regulatory Law, 

Bell Canada. 

introduction: 

Thank you, Mr. Chairman, for the invitation to appear before you and the mem- 
bers of the Sub-committee today on this very important subject. 

My name is Denis Henry and I am the Vice President of Regulatory Law with 
Bell Canada, the largest telecommunications carrier in Canada. 

As a group, the Bell Companies in Canada provide a full range of communications 
services to more than eight million residence and business customers. We are among 
the world’s leading communications organizations, with core investments in tele- 
phone networks, both wired and wireless; Internet Protocol (IP)-based networks and 
solutions; electronic commerce; systems integration; directories and satellite net- 
works. We are a major player in the local exchange, long distance and Internet ac- 
cess markets, including high speed access. On the content side of the business, we 
have investments in cable programming channels, broadcast television, a multi 
channel video program distributor through our direct-to-home satellite service, an 
Internet portal, new media and most recently a national newspaper. Given all of 
these varied business activities, most of which deal directly at the consumer level, 
we have been keenly interested in these issues for many years. 

I understand the Sub-committee is interested in hearing about Canada’s approach 
to privacy as you consider the implications of the EU Data Protection Directive. 

THE CANADIAN PRIVACY ENVIRONMENT: 

Part of Canada’s electronic commerce strategy recognizes that the future growth 
of the information highway will allow Canada to capitalize on the full potential of 
electronic commerce, with its ensuing economic and social benefits. We have recog- 
nized that in order to ensure that business and consumers fully embrace electronic 
commerce, building trust is critical and building trust means providing reasonable 
protection of personal information and privacy. At the same time, in order for Can- 
ada to become a leader in the global knowledge-based economy, the cost for business 
of managing personal information must also be reasonable and manageable. 

This concern about protecting personal information has attracted the interest of 
governments around the world and a number of options to address the issue have 
been debated in various circles. One approach is to adopt a comprehensive regu- 
latory regime with a very detailed, prescriptive, all-encompassing set of privacy pro- 
visions that applies to all organizations in all industries. At the other end of the 
spectrum is an approach that relies almost exclusively on market forces with spe- 
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cific legislation on a sectoral basis to deal with the most serious abuses. The Cana- 
dian approach lies somewhere in the middle. 

THE CANADIAN APPROACH TO PRIVACY: 

In October 1998, the Governments of the OECD Member countries attending the 
Ministerial Conference (A Borderless World: Realizing the Potential of Global Elec- 
tronic Commerce) in Ottawa, Canada, adopted the Ministerial Declaration on Protec- 
tion of Privacy on Global Networks which reaffirmed the importance of protecting 
privacy and recognized that the 1980 OECD Guidelines on the Protection of Privacy 
and Transborder Flows of Personal Data (the “OECD Privacy Guidelines”) continue 
to provide an international foundation for the protection of privacy on any medium. 
The technology-neutral principles of the OECD Privacy Guidelines have formed the 
basis of self-regulatory and legislative initiatives internationally for almost two dec- 
ades and continue to represent an international consensus for the collection, use and 
disclosure of personal information in any medium. 

Let me then describe how the Canadian approach to privacy has built upon and 
implemented these Guidelines. 

a) The CSA Model Code for the Protection of Personal Information 

In the early 1990s, the level of concern of individuals over their privacy in gen- 
eral, and their lack of control over their personal information in particular, contin- 
ued to rise coincident with the increased use of new technologies. In the face of this, 
the Government of Canada encouraged the business community to create a new Ca- 
nadian standard for the protection of personal information. As a result, a Technical 
Privacy Committee of the Canadian Standards Association (“CSA”) was struck that 
broadly represented all key stakeholders: business, government and consumers. 
Those organizations that participated represented key industry sectors with vast 
consumer bases that had a large stake in establishing an effective standard for the 
protection of personal information, e.g. the telecommunications, cable, banking, in- 
surance, credit reporting and marketing sectors. 

After a series of deliberations, the CSA Model Code for the Protection of Personal 
Information, CAN/CSA-Q830-96 (the “CSA Code”), was finalized and released as a 
National Standard of Canada in March 1996. The CSA Code is based on the OECD 
Privacy Guidelines and therefore represents a global standard. A summary of the 
CSA Code’s 10 Principles is appended as an attachment to this testimony. 

The Bell Companies participated actively in the development of the CSA Code. 
The Code’s ten principles represent a cohesive and balanced set of fair information 
practices that reflect the needs and concerns of all parties. The Code clearly recog- 
nizes individual rights to control and limit personal information use, reflects the le- 
gitimate needs of companies to use information for business purposes, and estab- 
lishes corresponding obligations for organizations to be accountable, obtain informed 
consent, safeguard personal data, and be open about policies and practices. As a 
“model” code, the CSA standard represents a set of minimum requirements and al- 
lows for the tailoring of the standard to meet the specific circumstances of an orga- 
nization. 

b) The Personal Information Protection and Electronic Documents Act 

Following development of the CSA Code, repeated surveys continued to under- 
score that Canadians were still concerned about the effect of new communications 
technologies on their privacy. While electronic commerce was starting to take off, 
many consumers were still reluctant to make purchases on-line because they lacked 
confidence in the security and privacy of on-line transactions. They were still unsure 
about what they could do or whom they could approach when something went 
wrong. 

Faced with that environment, the Government of Canada’s Industry Department 
undertook broad public consultations to explore the possibility of a legislative ap- 
proach. These discussions revealed broad support for self-regulation assisted by 
framework legislation that would encourage industry groups to develop sectoral 
codes based on the CSA Code. 

After much discussion and consultation with a broad array of representatives 
from government, industry and consumer groups, the Canadian government intro- 
duced in October 1998 draft legislation that was ultimately enacted in the form of 
the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 
(the “PIPED Act”) in April 2000. Its stated objective has been to establish har- 
monized national rules across the country. The PIPED Act is also intended to meet 
the adequate data protection requirements of the EU Data Protection Directive. 

This new piece of privacy legislation, which comes into force in basically two 
stages, is directed at the private sector and requires all organizations that collect, 
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use or disclose personal information in the course of commercial activities to adhere 
to the CSA Code. 

Like the United States, Canada is a federal state. The federal government’s ap- 
proach to privacy also reflects a rather unique approach to the federal/provincial ju- 
risdictional issue. As of January 1st of this year, the Act applies to all federal un- 
dertakings (e.g. telecommunications, broadcasting, airlines and banking industries), 
and those provincial undertakings that disclose personal information outside the 
province for consideration. In 2004, the provisions will apply more broadly to all or- 
ganizations that collect, use, or disclose personal information in the course of com- 
mercial activities, including intra-provincial transactions. However, where and 
whenever a province adopts legislation that is “substantially similar” to the PIPED 
Act, the organizations covered will be exempted from the application of the federal 
law and the provincial law will instead govern. 

The purpose of the PIPED Act is to (s. 3): 

“. . . establish, in an era in which technology increasingly facilitates the circula- 
tion and exchange of information, rules to govern the collection, use and disclo- 
sure of personal information in a manner that recognizes the right of privacy 
of individuals with respect to their personal information and the need of organi- 
zations to collect, use or disclose personal information for purposes that a rea- 
sonable person would consider appropriate in the circumstances.” 

Due to legislative drafting conventions, it was recognized that it would indeed be 
difficult to incorporate the CSA Code principles and commentary directly into legis- 
lation, without significantly altering the carefully negotiated wording of the stand- 
ard and compromising the flexible approach embodied in the standard. As a result 
the government adopted a novel approach to legislative drafting by having the legis- 
lation require compliance with the CSA Code, which in turn is reflected in a Sched- 
ule to the legislation. 

For the most part, the PIPED Act reflects a flexible approach that does not impose 
or mandate particular treatment of personal information. Rather, organizations can 
develop codes and practices tailored to their particular business circumstances. The 
very process of developing a tailored code forces an industry group or company to 
consider more thoroughly the manner in which to deal with information issues spe- 
cific to its business activities. Furthermore, the process of developing a tailored code 
serves to educate participating industry sector members about their obligations and 
the need to develop corresponding practices and procedures. 

The legislation also requires commercial organizations to identify the purposes for 
which personal information will be collected, used and disclosed, and to obtain the 
consent of individuals from whom such data is collected. Consent can be either ex- 
press or implied, depending on the circumstances and the sensitivity of the informa- 
tion — again reflecting a flexible approach. Commercial organizations, therefore, de- 
termine the scope of their identified purposes and consumers either accept them by 
continuing to do business with the organization or reject them by withdrawing con- 
sent or “opting out” of a particular proposed collection, use or disclosure. 

The PIPED Act establishes a federal Privacy Commissioner as its prime overseer. 
Individuals may direct to the Commissioner complaints about any aspect of an orga- 
nization’s compliance with the provisions relating to the protection of personal infor- 
mation in the PIPED Act. The Commissioner has general powers to receive and in- 
vestigate complaints, including the summoning of witnesses and production of docu- 
ments and other records. The Commissioner also has express powers to conduct au- 
dits and to attempt to resolve complaints by means of dispute resolution mecha- 
nisms such as mediation and conciliation. In fact, in framing the PIPED Act, the 
Canadian federal government clearly envisioned the Commissioner in an ombuds- 
man role, with the stated goal of obtaining a resolution of privacy disputes in a non- 
confrontational manner. The Commissioner also has a mandate to develop and con- 
duct information programs to foster public understanding of the privacy provisions 
of the PIPED Act 

Unresolved disputes relating to certain matters can be taken before the Federal 
Court of Canada for a hearing. In addition to its normal powers, the Federal Court 
may order an organization to correct its practices and award damages to the com- 
plainant. 

By enshrining the CSA Code in legislation, the Canadian approach to protecting 
personal information recognizes that market forces alone will not provide the rea- 
sonable assurances that consumers require. At the same time, it avoids unnecessary 
and costly regulation that could stifle the growth potential of new technologies and 
provides necessary flexibility to tailor specific privacy practices to the unique cir- 
cumstances of specific industry sectors. In our view, the Canadian approach re- 
flected in the PIPED Act strikes an appropriate balance between a consumer’s de- 
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sire for privacy and the legitimate needs of business to collect and use personal in- 
formation. 

Rather than imposing a common, detailed set of requirements and standards to 
be rigidly applied to all organizations in all industries, the Canadian framework leg- 
islation, recognizing that personal information needs vary tremendously across dif- 
ferent industry sectors, accommodates maximum flexibility consistent with fair in- 
formation practices. 

Most importantly, given the consensus process adopted, the CSA Code has the 
confidence of both consumer groups and the business community and represents, 
therefore, a fair and equitable basis upon which to build a legislative framework. 

THE BELL COMPANIES’ CODE OF FAIR INFORMATION PRACTICES: 

Privacy and security of customer information is considered to be a key attribute 
of the Bell brand, and an important aspect of the relationship between the Bell 
Companies and their subscribers. 

The Bell Companies have long been committed — and continue to be committed — 
to maintaining the accuracy, confidentiality, security and privacy of customer and 
employee personal information. This is reflected in existing privacy and confiden- 
tiality provisions found in various Company policies and in applicable service rules 
approved by regulatory agencies over the years. It is also reflected in the high re- 
gard and trust with which customers and employees view the management of per- 
sonal information by the Companies. 

Recently, the Bell Companies released the Bell Code of Fair Information Practices 
(the “Bell Privacy Code” — copy attached). The Bell Privacy Code is a formal state- 
ment of principles and guidelines concerning the minimum requirements for the 
protection of personal information provided by the Companies to their customers 
and employees. The objective of the Bell Privacy Code is responsible and trans- 
parent practices in the management of personal information, in accordance with the 
CSA Code and the new legislation. 

The Bell Privacy Code stipulates that the Bell Companies can collect personal in- 
formation only for the following purposes: 

a) to establish and maintain responsible commercial relations with customers and 

to provide ongoing service; 

b) to understand customer needs; 

c) to develop, enhance, market or provide products and services; 

d) to manage and develop their business and operations, including personnel and 

employment matters; and 

e) to meet legal and regulatory requirements. 

As is the Companies’ current practice, customers will continue to be able to review 
company records that contain personal information about them and update/correct 
any information contained in such records. Customers will also continue to be able 
to challenge any of the Companies’ compliance with the Privacy Code through the 
existing office of the Bell Privacy Ombudsman. The office of the Ombudsman, which 
was established in 1992 in order to deal with unresolved privacy-related complaints, 
has received very few such complaints in the ensuing years — an indication of the 
Companies’ commitment to privacy protection and customer satisfaction. 

In order to implement the revised Bell Privacy Code, each of the Bell Companies 
has embarked on a plan that incorporates four elements: communications, training, 
systems and audit. The Companies are informing customers of the Companies’ re- 
spective privacy policies and the implications thereof in a number of ways. The in- 
troductory pages of the white pages directory, bill inserts to customers, web pages 
and point of sale brochures all provide descriptions of the Companies’ privacy poli- 
cies. Business Office client representatives are also available to answer any ques- 
tions that subscribers may have with respect to privacy. Copies of the Bell Privacy 
Code and other related documents are also available through these communication 
channels. 

In addition, the Companies are in the process of ensuring, through training and 
employee communications, that all employees understand and will uphold the com- 
mitments made in the Privacy Code and related documents. Particular attention is 
focused on employees who have routine access to subscriber personal information as 
part of their job function. All employees must sign-off annually that they under- 
stand the Privacy Code, and acknowledge that non-compliance with our privacy 
commitments could be grounds for dismissal. 

The Companies have also undertaken a review of their information systems to en- 
sure that the provisions of the Privacy Code will be adhered to. Finally, regular in- 
ternal audits will be employed to ensure ongoing compliance. 
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The Bell Privacy Code will be reviewed at least every 5 years to ensure continued 
relevance and currency with changing technologies, laws and the evolving needs of 
the Companies, their customers and employees. New communications plans would 
precede adoption of any modifications to the Privacy Code. 

Finally, we intend to use technology to educate individuals about privacy issues, 
assist them to remain anonymous in appropriate circumstances and to exercise 
choice and control over the collection and use of their personal information. 

CONCLUSION: 

In my view, the development by industry, government and consumers of the CSA 
Code has had a positive impact in influencing the Canadian government’s approach 
to legislation in this area. The result is a piece of legislation that is flexible and 
far less intrusive and prescriptive than other possible legislative approaches. The 
Canadian legislation enshrines high-level privacy principles while avoiding unneces- 
sary and costly regulation and providing necessary flexibility to tailor specific pri- 
vacy practices to the unique circumstances of specific industry sectors. 

As leaders within our industry, we are committed to fair information practices 
within our individual companies, and to new voluntary initiatives that will further 
strengthen the level of privacy protection afforded to our customers and employees. 
Public education combined with market-developed technological solutions tailored to 
consumers’ concerns and market demand will assist in providing the most efficient 
and effective means to protect personal information. 

The Bell Companies have supported the Canadian government’s steps in pursuing 
a new model for the protection of personal information in the private sector, a model 
tailor-made for Canada which builds on the voluntary efforts of consumer groups, 
industry and governments. 

We believe the best model in Canada for private sector privacy legislation is a 
strong and consistent framework of harmonized federal-provincial laws. Most impor- 
tantly, only consistent harmonized privacy laws across all jurisdictions will provide 
the level of privacy protection that individuals seek and require for the growth of 
global electronic commerce. 

The Bell Companies remain committed to working with governments to promote 
effective privacy protection within a broader societal context. 

We wish you well in your deliberations. 

CSA Code — Principles in Summary 

Principle 1 — Accountability: An organization is responsible for personal infor- 
mation under its control and shall designate an individual or individuals who are 
accountable for the organization’s compliance with the following principles. 

Principle 2 — Identifying Purposes: The purposes for which personal informa- 
tion is collected shall be indentified by the organization at or before the time the 
information is collected. 

Principle 3 — Consent: The knowledge and consent of the individual are required 
for the collection, use, or disclosure of personal information, except where inappro- 
priate. 

Principle 4 — Limiting Collection: The collection of personal information shall 
be limited to that which is necessary for the purposes identified by the organization. 
Information shall be collected by fair and lawful means. 

Principle 5 — Limiting Use, Disclosure, and Retention: Personal information 
shall not be used or disclosed for purposes other than those for which it was col- 
lected, except with the consent of the individual or as required by law. Personal in- 
formation shall be retained only as long as necessary for the fulfillment of those 
purposes. 

Principle 6 — Accuracy: Personal information shall be as accurate, complete, and 
up-to-date as is necessary for the purposes for which it is to be used. 

Principle 7 — Safeguards: Personal information shall be protected by security 
safeguards appropriate to the sensitivity of the information. 

Principle 8 — Openness: An organization shall make readily available to individ- 
uals specific information about its policies and practices relating to the management 
of personal information. 

Principle 9 — Individual Access: Upon request, an individual shall be informed 
of the existence, use, and disclosure of his or her personal information and shall 
given access to that information. An individual shall be able to challenge the accu- 
racy and completeness of the information and have it amended as appropriate. 

Principle 10 — Challenging Compliance: An individual shall be able to address 
a challenge concerning compliance with the above principles to the designated indi- 
vidual or individuals accountable for the organization’s compliance. 
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Mr. Stearns. Thank you, Mr. Henry. 

Let me start off. Mr. Winer, if we enacted — if we had the Euro- 
pean Union privacy laws, what would be the cost to American tax- 
payers, American businesses? I mean, just give me a little brief sce- 
nario here. I have got lots of questions, so — I mean, it is going to 
be burdensome from your testimony, but, I mean, is there any kind 
of statistical or quantitative 

Mr. Winer. I have never been able to find one, sir. I have asked 
the Europeans any number of times if they have ever done such a 
study. 

Mr. Stearns. Right. 

Mr. Winer. I believe the Department of Commerce may have re- 
quested that information from the EU and never gotten any re- 
sponse back. 

Mr. Stearns. Okay. Ms. Lawler, your company has signed the 
safe harbor, and there is less than 20. So you folks are out there 
early. And so I guess the real question, why — can you sort of let 
us in with a trade secret, why haven’t the other technical compa- 
nies signed on to this safe harbor? We all respect and admire your 
company, and it is one of the bellwether leaders in the industry. 
Why are you way ahead? Why haven’t the other people done it? 

Ms. Lawler. Let me answer that by saying last month I was at 
a workshop on safe harbor that was conducted in the Bay area, 
which by the way was extremely well attended by many large glob- 
al and national concerns. 

And what I heard in comments — I think the first thing to keep 
in mind is that while the safe harbor principles have been under 
discussion for a couple of years, the real final result that was avail- 
able for American businesses to actually look at and evaluate what 
they needed to do to certify to the safe harbor has really only been 
available since November 1st. 

Now, for Hewlett Packard, we really had a running start because 
we had such a strong set of privacy policy and associated practices 
before the actual safe harbor agreement was even ratified, partly 
through our work with the safe harbor — I am sorry — with the BBB 
Online folks and that privacy seal program. 

What I heard from some of my peers in that area is that there 
is still concern about some of the jurisdictional issues. They are 
waiting to see the standard contracts that were discussed in the 
first panel, to see if that was a viable alternative. 

Mr. Stearns. The model directives, you mean? 

Ms. Lawler. Excuse me? I am sorry. 

Mr. Stearns. You are saying contracts. 

Ms. Lawler. The standard contracts that one would sign with 
each 

Mr. Stearns. For safe harbor. 

Ms. Lawler, [continuing] protection authority. 

Mr. Stearns. Okay. 

Ms. Lawler. As opposed to safe harbor, evaluating that as an al- 
ternative. Some companies are actually looking at developing very 
elaborate express permission scenarios, very expensive. 

Frankly, a lot of companies just simply are not as far along in 
their internal practices and take safe harbor and the principles out- 
lined very seriously. And so I think it is going to take them some 
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time to evaluate where they are at, what they are doing, and it is 
probably about a year process for them. 

Mr. Stearns. Mr. Winer, does the safe harbor provide a prudent 
option for American companies to comply with the EU directives, 
in your opinion? 

Mr. Winer. If you are a company with a complex corporate struc- 
ture, it is going to be very difficult because of the — each company, 
each structure, is viewed to be a third party, and you have to agree 
not to transfer to third parties, which could include intra-company 
transfers. Of course, it can’t apply to financials or telecoms because 
they are not within the jurisdiction. 

I think it is up to each company. The fact that so few have so 
far chosen to sign on is a vote with your feet proof that to date it 
has not been an attractive option for most companies. I think it 
would be terrifically valuable if we were able to get a cost assess- 
ment — as an answer to the question you asked me — done by proper 
economists, properly trained people, to try and figure out what real 
compliance costs are likely to be. 

I noted in the testimony of my colleagues from HP, they are 
doing a very great job, but they confessed, I believe, at one point 
that there are some areas that they are finding some difficulty in 
completely meeting the terms of the directive as they develop their 
processes. So it is going to be a bit of work for everybody, and po- 
tentially an expensive one. We ought to know the costs. 

Mr. Stearns. Ambassador Aaron, you stated that the provisions 
of the safe harbor had to be more flexible than the directive and 
address real-world information practices on a reasonable basis. Yet 
only 26 companies and organizations have signed up for the safe 
harbor. Does this suggest that safe harbor is not a reasonable op- 
tion for American companies? 

Mr. Aaron. I think it is a very reasonable option, and I might 
say that since we have had some of our panelists here say that it 
was either too tough and onerous, and others said it didn’t mean 
anything and would not help, I think we have probably hit the 
sweet spot in trying to put this thing together. 

I think the main reason that companies haven’t signed on yet is 
that it is very complicated, and they want to look at it carefully. 
I think you could tell, even from the discussion this morning with 
the European Data Protection Authorities, even there is some con- 
fusion on their part as to exactly how all of this would work. 

Well, I would be careful, too. And we are advising our clients 
that the safe harbor is a good way to go but that they have got to 
be very careful in how they do it, and that they have got to be sure 
that it is going to apply. 

My principal concern at this point has been the fact that the Eu- 
ropean Union has started to chip away at the safe harbor. First, 
in the final days of negotiation, they made changes to how em- 
ployee data would be covered, making it much more difficult than 
the safe harbor ought to operate from the standpoint of enforce- 
ment. 

There are suggestions now that the — from the data protection 
authorities that if you send a cookie from the United States to a 
computer in Europe, that this somehow creates a facility in Europe, 
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and, therefore, operates under European law, and, therefore, some- 
how the safe harbor doesn’t apply; it has got to be European law. 

Well, I talked to the Commission personally on this issue, and 
they were rather horrified by this conclusion because it has impli- 
cations for taxation and a whole lot of other things. And they are 
going to seek to get this clarified, but it is the kind of uncertainty 
that I think causes companies pause. 

Mr. Stearns. My time has expired. 

Mr. Towns? 

Mr. Towns. Thank you, Mr. Chairman. 

Let me continue with the Ambassador. Is there an organized ef- 
fort by some in the business community to keep U.S. firms from 
signing on to the safe harbor? 

Mr. Aaron. I, frankly, don’t know. I haven’t personally encoun- 
tered — I know there were some people toward the very end of the 
negotiation that raised some objections, some of them of the sort 
that we have heard here today. But I don’t know of any organized 
effort to boycott it in any way. 

Mr. Towns. Well, in a recent article in Computer World, a rep- 
resentative of Dun & Bradstreet said that safe harbor allowed that 
company to obtain waivers for data transfers so that it could con- 
solidate a UK-based data center with one in New Jersey. Do you 
believe that safe harbor helps keep data firms and jobs in the 
United States? 

Mr. Aaron. Well, there is no question about it. If — you know, 
there are two ways to run a business. One is you can totally decen- 
tralize, and if you are dealing with European employee data, cus- 
tomer data, that sort of thing, if you just keep it in Europe, but — 
particularly if there is obstacles to bringing it back to the United 
States. 

I have one client who is — that basically provides a service that 
involves employee evaluation, and they provide this service to com- 
panies all over the world. And so they get evaluations from superi- 
ors and subordinates and colleagues and self-evaluations, and so 
forth. They do all of this processing in the United States. 

Now, if they are not a member of the safe harbor, they are not 
going to be able to be in business. Now, they can go toward con- 
tracts, but I think, as Mr. Winer indicated, these contracts are 
enormously onerous. The basic principles are the same as the safe 
harbor, but then they tack on a whole series of other things about 
rights, private action, and all the rest, that this is not going to turn 
out to be an attractive alternative. 

So I think at this point you have basically got the safe harbor, 
you have contracts, and that is what you have got. And I think the 
safe harbor is a much more congenial, flexible tool, even though it 
may go further in some respects than we would like. 

Mr. Towns. Anybody disagree with that? Yes? You have a com- 
ment on that? 

The reason I — let me just say, the reason I ask that, not that I 
am interested in having a debate of any sort, but the point is that 
I just think this issue is just so serious that we need to make cer- 
tain that we get as much information as possible before we move 
forward, because I am convinced that something is going to be done 
in this Congress. So I really want to get information. 
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Yes? 

Mr. Reidenberg. I would hope you are right that this Congress 
will do something to protect privacy in the United States. I guess 
I disagree with at least one statement, that in the absence of sign- 
ing up for safe harbor the companies will not be able to transfer 
data back to the United States. 

Article 26 of the directive has a series of derogations from safe 
harbor — or, excuse me, has a series of derogations from export pro- 
hibitions that are more extensive than simply having a contract be- 
tween an American data importer and the European data exporter. 

The other thing that I think the committee ought to be aware of 
is that the export prohibition provision did not begin with the Eu- 
ropean directive. It began with member state law that preexisted 
the directive for many years. 

And many of the certainly larger American companies have been 
dealing with this as a fact of life for more than 20 years in some 
member states and have not had problems, because they have 
worked with the national data protection authorities in each of 
those member states, assuring them of treating the European data 
with fair standards in the United States. 

So if it is a company that is treating data fairly in the United 
States, I find it very perplexing that they have such difficulty ei- 
ther signing onto a contract for data protection or subscribing to 
something like the safe harbor, the substantive standards of the 
safe harbor. 

If they are indeed practicing privacy, these obligations should not 
be that — should not be burdensome for them. Again, keeping in 
mind if they are operating in Europe, they are under legal obliga- 
tion in European countries to do that anyway. 

Mr. Towns. Thank you. 

Yes, Mr. Winer? 

Mr. Winer. Yes, sir. I would say that the devil is in the details 
in this area. And one of the reasons why so few companies have 
signed up is because you have to do a very detailed analysis of how 
the safe harbor applies to your actual operations and information 
systems. And if you have got a complex corporate structure or com- 
plex sets of information, you may not be able to live up to the safe 
harbor very easily. It may be expensive and difficult. 

So its value is very fact-dependent, and there are lots of gaps. 

Mr. Aaron. May I just add one point? This is true of any privacy 
policy. And one of the great and surprising things is that if you 
would talk to most companies about the privacy policy, you can 
often find out that they just borrowed it from some other company. 
They just went on the web, took the privacy policy, stuck it on 
there. It has nothing to do with their business. 

You talk to general counsels of major corporations about their 
privacy policy, and you ask them, “Do you collect personal data? 
And who do you share it with?” And they say, “We will get back 
to you,” because they don’t know. They have to go all the way down 
to the data base managers and find out what is really happening 
in those companies. 

This is true of any privacy policy. It goes to the heart of most 
companies and business operations, and it is a crucial thing, and 
it is going to cost money for everybody. 
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Mr. Towns. All right. Mr. Chairman, my time has expired. 

But let me commend Ms. Lawler for her company in terms of 
their moving forward. I just wanted to let you know that we salute 
you for that. 

Ms. Lawler. Thank you, sir. 

Mr. Towns. Right. I yield back. 

Mr. Stearns. Mr. Buyer is recognized for 5 minutes. 

Mr. Buyer. Thank you, Mr. Chairman. 

Ms. Lawler, I have got your web page. Okay? 

Ms. Lawler. Okay. 

Mr. Buyer. One thing I do like about it, what appears to be open 
and conspicuous, and I don’t know if it is redundant, but over here 
it says privacy statement. So you can click on it, right? And you 
get over into it, it says, “Who do we share it with?” i.e. obviously, 
the personal data. 

So you want to get in there, and it is — I heard your testimony. 
It sounds good. So let us examine what you said. HP will not sell, 
rent, or lease your personally identifiable information to others. 
And that is what your testimony was. 

Ms. Lawler. Correct. 

Mr. Buyer. Okay. Now let us go into the but. You then give per- 
mission to your partners 

Ms. Lawler. What I said in my testimony is that we will not 
share with partners without customer permission. I can share some 
examples if you would like. 

Mr. Buyer, [continuing] that you provide online with other HP 
entities and/or business partners who are acting on behalf, and the 
uses are described, how we use it. 

Ms. Lawler. Business partners acting on HP’s behalf. That was 
the scenario I described where their suppliers and service pro- 
viders — they are required and covered under contract and on dis- 
closure to abide by our privacy policy. 

Mr. Buyer. So all of your other subsidiaries or partners whom 
you do business with, you go all the way back to your customer. 
If I click on — my son clicks on and does something with HP, you 
are not going to give any of that data unless you go back and ask 
whether or not you can give it? 

Ms. Lawler. What that is saying is that if they are covered 
under contract, they are covered by the privacy policy. An example 
would be an advertising agency creating material for us or a ship- 
per like, say, Federal Express shipping our product. 

Mr. Buyer. Let me ask this. Do you believe that there should be 
a level of comfort with someone who would use your site, that the 
information or their practice is not going to then be shared with 
your other business partners or arrangements or contractual part- 
nerships that dominoes one after another? 

Can I turn to my constituents and say, “Hey, what HP says is 
when you deal with them, none of that information is going to be 
shared with anyone else unless they come back to you”? 

Ms. Lawler. If you are referring to the situation we talked about 
with suppliers 

Mr. Buyer. No, no, no, no. Don’t go to what your situation is. Go 
to mine. See, I don’t believe 

Ms. Lawler. Can you give me a specific 
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Mr. Buyer. I don’t believe you can stand by what you just said. 
That is what I am questioning. First, you give that one statement 
that is pretty emphatic, and then you go into the “unless.” I always 
pay attention to the unless, however, but, comma. 

Ms. Lawler. That is not a but or unless, but I understand what 
your question is. 

Mr. Buyer. All right. I don’t want to quibble with you. 

Ms. Lawler. Okay. 

Mr. Buyer. I just want to get the definition. 

Mr. Stearns. Will the gentleman yield for just a moment? 

Mr. Buyer. Yes. 

Mr. Stearns. Another question you might ask is, how are they 
enforcing against their partners? 

Mr. Buyer. Well, that is the real problem. If you have informa- 
tion which you say, “Well, we are going to give it to one of our busi- 
ness partners,” then you begin to lose control when that business 
partner has a second arrangement with another business partner, 
and all of a sudden it is three, four down the line and you have 

Ms. Lawler. Okay. I need to go back to what I had been saying, 
which is that if it is a partner doing business on behalf of HP — 
in other words, we could have our own shipping organization that 
delivered packages to your door, we could have an in-house ad 
agency, we could have all in-house call centers for an example. An 
alternative is to outsource that effort. 

Outsourced efforts are covered under contract and legal non-dis- 
closure agreements that the vendor — this is a vendor-supplier rela- 
tionship — that they sign. Therefore, they are protected. So they 
have the data, but they are not using it for their own business pur- 
poses. They are using it on behalf of HP contractually; therefore, 
legally protected. 

That is different from a business partnership, say, for example, 
with a software supplier. Say, for example, you bought a Hewlett 
Packard Pavillion PC, and you decided to register that product 
with Hewlett Packard, which, by the way, is your choice. You can 
also choose to register your software applications at the same time 
in one single approach, which many customers see as a benefit. 
Others prefer to register individually. 

So if we think of a major software provider, we provide you the 
option to transmit your personal data to that software provider to 
complete the registration process in one single effort. But we ask 
that permission question before that happens. And if you don’t 
want to do that, it doesn’t happen. You are in control. 

Mr. Buyer. Thank you. 

Mr. Stearns. The gentleman from Tennessee, Mr. Gordon? 

Mr. Gordon. Thank you. We only have 5 minutes just like you 
do, so I am going to try to be quick with three questions and hope 
you will be quick with three answers, or at least the first two. 

Ambassador Aaron, if you could help maybe clear up a question 
I had raised earlier concerning the safe harbor, and that is that if 
a company is within safe harbor, then FTC makes those determina- 
tions. My concern is, then, does the — is there a veto or an override 
in some regard by any of the EU countries to say that the FTC is 
not doing their job properly or they don’t agree? 
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Mr. Aaron. No, there isn’t. Now, having said that — and that is 
part of the deal. Having said that, if Mr. Rodota, for example, 
should decide he didn’t agree with that and he thought that some 
U.S. — some firm in Italy was sending information to a company in 
the United States that wasn’t behaving properly, and he moved to 
enjoin that transmission of information, then it would be the re- 
sponsibility of the European Commission to go after Mr. Rodota 
and to get together his various committees and make a determina- 
tion as to whether Mr. Rodota was in his rights or was not. 

And they have made clear to us, in the course both of the nego- 
tiations, that they would move to insist that the national data 

Mr. Gordon. So they can overrule the FTC. 

Mr. Aaron. They can overrule the 

Mr. Gordon. Well, that is all I wanted to 

Mr. Aaron. They can overrule the national — the Commission can 
overrule the national Data Protection Authority. 

Now, anybody can sue anybody. If somebody goes into court and 
says, “I am not being protected in a European court,” then the Eu- 
ropean Commission will weigh in on the side of the U.S. defendant 
if they are within the safe harbor. 

Mr. Gordon. But they still can overrule the FTC, the individual 
countries, can’t they? 

Mr. Aaron. No, they cannot. The European Commission comes 
in and declares that action illegal or unacceptable. 

Mr. Gordon. But isn’t that the same thing? 

Mr. Aaron. No. The action of the member state is illegal or unac- 
ceptable. In other words, any 

Mr. Gordon. But can they rule that it is acceptable, their action 
is acceptable? 

Mr. Aaron. Well, I suppose that is conceivable, but then that is 
a violation of our agreement and that raises everything to a polit- 
ical level and we begin to 

Mr. Gordon. So why would — okay. Well, maybe I just need to 
understand that more. 

Mr. Winer, you gave a lot of reasons why the EU should not go 
forward with the regulations that they have. Is there any reason 
that they can’t make a bad decision? I mean, you said it is a bad 
decision. But do they have the right to make that bad decision? 

Mr. Winer. They certainly have the right to make a bad decision. 
The question is, what is the U.S. response when another country 
makes a bad decision? 

Mr. Gordon. That is the main thing I wanted to know. 

Mr. Winer. Yes, sir. 

Mr. Gordon. So they have the right to make that bad decision. 

And, finally, if I can — Mr. — I guess this is — Mr. Reidenberg, if I 
was a — from a business perspective, what makes me most con- 
cerned about dealing with the EU would be the uncertainty as well 
as maybe the arbitrariness of how some of the rulings, you know, 
could be arbitrated. 

I think you have what I would think is the best suggestion, and 
that is some type of international treaty which would go beyond 
EU into problems around elsewhere. What would be the vehicle for 
that international treaty? 

Mr. Reidenberg. The WTO, in particular, Telecoms Annex. 



94 


Mr. Gordon. Yes, okay. 

Mr. Reidenberg. There is a specific exception for restrictions on 
trade and services and information under the Telecoms Annex for 
privacy. And the WTO agreements require biennial assessments at 
a ministerial level for 

Mr. Gordon. Is there any kind of effort going on to develop some 
international standards in that regard? 

Mr. Reidenberg. There has been some suggestion that the WTO 
take it up. To my knowledge, that has not yet happened. I think 
it is inevitable that the WTO will have to focus on privacy issues. 
I would prefer to see the United States taking the lead than being 
the second seat at the table. 

If I may for a moment refer specifically — this goes back to your 
first question that you raised with Ambassador Aaron. Article 3 of 
the Commission decision of July 26th, which is the decision approv- 
ing the safe harbor, specifically allows the member state data pro- 
tection authorities to reject transfers to a company on the safe har- 
bor list. 

So the specific answer is Article 3 — it is specifically Article 3, 
clause 1(b), specifically says that the member states under certain 
circumstances can refer to recognize a company on — listed on the 
Commerce Department’s listing of certified safe harbor companies. 

Mr. Gordon. Well, that was my understanding. 

Ambassador Aaron, I guess you can say it, but maybe I don’t un- 
derstand it, I mean, why do you see this differently than the rest 
of us? 

Mr. Aaron. Because the Commission has further powers. The 
Commission has the power to look at any decision made by a na- 
tional Data Protection Authority and decide whether it is within 
the scope of the safe harbor or whether it is doing something aber- 
rant. It has nothing to do with the safe harbor, trumping the FTC, 
doing something 

Mr. Gordon. Right. 

Mr. Aaron, [continuing] of that sort. 

Mr. Gordon. So however you get there, but that is the same re- 
sult. I mean, that they can overrule the FTC, can’t they? But why 
don’t you maybe 

Mr. Aaron. No. 

Mr. Gordon. Again, I am just wondering, why do you see this 
differently than everyone else here? 

Mr. Aaron. I guess maybe because I negotiated it and I know 
what those words mean. 

Mr. Gordon. Or is that just editorial pride? 

Mr. Aaron. No, I don’t think so. I don’t think so. I don’t think 
I actually wrote the words. 

Mr. Gordon. Okay. 

Mr. Aaron. What happens is that if the national — there are 
some exceptions, as you pointed out. But, basically, if the national 
data protection authorities do not recognize the safe harbor, the 
Commission has the right to come in and make them recognize it. 
That is the deal. So if they do something 

Mr. Gordon. They have the right to, but does that mean that 
they have the obligation to? 

Mr. Stearns. The gentleman’s time has expired. 
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Mr. Aaron. Well, that 

Mr. Gordon. I mean, if they don’t have the obligation to, then 
it doesn’t really matter, does it? 

Mr. Aaron. Well, they actually have the obligation to under their 
own rules. 

Mr. Gordon. Thank you. 

Mr. Stearns. The gentleman’s time has expired. 

The gentleman from Georgia, Mr. Deal, is recognized for 5 min- 
utes. 

Mr. Deal. Thank you, Mr. Chairman. 

Mr. Henry, as I understand, what has happened in Canada is 
you started out with industry code that was industry derived, and 
that has now been backed up with legislation, but the legislation 
is very flexible and embodies the possibility for many variations of 
types of agreements. Is my understanding correct? 

Mr. Henry. Flexible in the sense that it allows — it sets out a 
number of obligations. But the manner in which you meet those ob- 
ligations or fulfill them leaves some flexibility. So, for example, dif- 
ferent industries, it actually envisages that different industries 
would develop different practices to reflect the particular business 
circumstances, still complying with the principles and having an 
obligation to comply with the principles. 

And consent as well is a flexible concept. The form of consent de- 
pends very much on both the sensitivity of the information and the 
circumstances, and so on. 

Mr. Deal. But these are national standards with 

Mr. Henry. Right. 

Mr. Deal, [continuing] the right of territorial 

Mr. Henry. Right. 

Mr. Deal, [continuing] variations. 

Mr. Henry. Right. 

Mr. Deal. I guess the next question, then, is, has the EU ac- 
knowledged your legislation and your code as an acceptable compli- 
ance with their directive? 

Mr. Henry. It is in the process of doing so. There is a couple of 
working group studies underway. I think Mr. Smith earlier ac- 
knowledged that it looks like they will accept it, and certainly 

Mr. Deal. Will it be a blanket approval, or will it — since there 
is flexibility, would it be a case-by-case determination? 

Mr. Henry. Well, our hope and understanding, and the Canadian 
government’s hope and understanding, is that it will be accepted. 
The EU is looking at it, and once they understand it we are con- 
fident that they will accept it. Yes, absolutely. And it was drafted 
not only with that in mind but certainly with that in mind, that 
it was to comply with the EU directive. 

Mr. Deal. All right. 

Mr. Henry. And if I could just add one other thing. When I say 
“flexibility,” it is flexibility on those points I talked about. On the 
enforcement side, I think it is much stricter. There is a privacy 
commissioner with a lot of power. There is possibilities to go to 
court. There is audits. There is public reports that the privacy com- 
missioner can make. So it is quite strict in that sense. 

Mr. Deal. Professor Reidenberg, I believe your suggestion of try- 
ing to arrive at some standard initiated that would be acceptable 
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to our country, and then going through WTO to see if we could ar- 
rive at a mutually agreeable standard, is probably a very good ap- 
proach. 

But your comments also indicate that if American companies are 
really doing basically what they should be doing, they really 
shouldn’t have that much trouble under the current arrangement, 
even though it is somewhat disjointed. Is that a fair summary of 
what I heard you say? 

Mr. Reidenberg. Yes and no. I think it is a fair summary, but 
it probably doesn’t completely present an accurate picture. If Amer- 
ican companies were doing what they were supposed to be doing, 
and by that I am going to treat that as an American standard, if 
companies were treating information fairly with the kinds of prin- 
ciples that we have long recognized in the United States going back 
to the OECD guidelines from the early 1980’s, if they were doing 
that, then substantively they should be in compliance with the 
kinds of obligations that the European directive imposes. 

It would not, however, alleviate the practical problem of having 
to prove their adequacy on a case-by-case basis, because there 
would be no obvious legal right to point to, no obvious enforcement 
ability to point to. They would have to go and show case by case, 
yes, we are doing these things. So 

Mr. Deal. Mr. Winer, or Ambassador Aaron, do either of you dis- 
agree that going to a standard — WTO approved standard would be 
not a desirable goal to try to shoot for? Or is there a better way? 

Mr. Aaron. I think there is a better way, and I think the better 
way was reflected in the testimony we heard earlier, which is a 
thing called the global business dialog for e-commerce. They are in 
the process of developing a number of private sector, international 
rules and standards, much along the lines that the Canadian pri- 
vate sector did, kind of a code of conduct. 

I think that is likely to be much more flexible, much more effec- 
tive, much more widely accepted, and to try to go into an organiza- 
tion of 140 or 70, or I don’t remember how many members there 
are now, including China and a couple of other countries, and try 
to negotiate privacy, this is not going to be an easy thing to do. 

Mr. Deal. Thank you, Mr. Chairman. 

Mr. Stearns. Thank you. I think — there are just a few of us 
left — we will take another quick round. Make sure you don’t miss 
your planes. 

Mr. Henry, it seems like Canada has developed something with 
the participation of industry. So industry came in and participated 
in developing the code and practices, as I understand it, that is tai- 
lored to the different industry that applies. 

Did you find that industry’s participation made it less burden- 
some? I mean, that relationship, did that make it palatable for 
them to take an all-encompassing law? I mean, you might give us 
just a little 

Mr. Henry. Absolutely. What they did was develop a code that 
was at a higher level, and that code is a single code. That is a CSA 
Code. But that code itself allows and envisages that industry-spe- 
cific sectoral codes could be developed to be in compliance with that 
code. And so 
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Mr. Stearns. Ambassador Aaron, you mentioned the global busi- 
ness dialog of e-commerce. So if you were in a position where you 
could wave a magic wand and put in place, for the United States 
or for world commerce, one consistent privacy practice, how would 
you do it, and what would it be? 

Mr. Aaron. Well, I think that the basic principles that were con- 
tained in the OECD privacy principles are a good place to start. 
But it is very important to recognize that different sectors of the 
economy have different privacy requirements and need different 
kinds of flexibility. 

So I would build from there, but I would try to realize that there 
are sectoral differences. For example, the Europeans don’t accept 
our Gramm-Leach-Bliley and Fair Credit Reporting Act. I think 
this is a big mistake on their part. We provide tremendous 

Mr. Stearns. They don’t accept our what? 

Mr. Aaron. They don’t accept that the Gramm-Leach-Bliley pri- 
vacy protections and the Fair Credit Reporting Act protections 

Mr. Stearns. Oh, okay. 

Mr. Aaron, [continuing] are adequate. 

Mr. Stearns. Okay. 

Mr. Aaron. They think that is not adequate privacy protection. 
I think that is entirely unacceptable for us. And, of course, we are 
going to come to the crunch on this issue pretty soon. But those 
two acts working together provide tremendous privacy protections, 
and they are enforced by the Fed and by the Office of Thrift Super- 
vision and all the rest of it. 

But I really think you can’t just spell out — well, I would be 
happy to do it at some point, maybe write a book about it, but I 
think you really have to think about — you know, you have to give 
notice; how much? You have to give choice; opt-in/opt-out. You have 
to talk about third parties and your obligations. 

Mr. Stearns. Do you think in opt-in or opt-out there is a favorite 
in your mind? 

Mr. Aaron. I think that opt-out ought to be quite acceptable for 
many, many purposes. 

Mr. Stearns. So 

Mr. Aaron. And, in particular, let me just say one thing. You 
know, the debate that took place in Gramm-Leach-Bliley, during 
that period, was whether there should be opt-in for sharing with 
affiliates. That was the big fight over that issue. 

Well, the Europeans say, “No, you have to have” — what we were 
trying to do with that was to try to make us equal to the Euro- 
peans. The European banking institutions and financial institu- 
tions aren’t structured the way we are. They have insurance. They 
have brokerage. They have banks. They are not affiliates. They are 
actual divisions of a company. So, therefore, they share this be- 
tween each other all the time, with no difficulty. 

We are structured — many of our companies are structured dif- 
ferently. So all of a sudden you get this issue of affiliate sharing, 
and whether there should be opt-in or there should be opt-out. 
Well, I think we have got to be careful there because the fact of 
the matter is if we accepted either one of those procedures — and we 
did accept opt-out to some extent — we find ourselves at a competi- 
tive disadvantage. 
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Mr. Stearns. Mr. Winer and Professor Reidenberg, both of you 
briefly tell me what you would do if you could wave a magic wand 
to get this privacy so that it would be a global business policy. 

Mr. Winer. For starters, the EU needs to recognize the US sys- 
tem for protecting privacy as adequate. Our system protects pri- 
vacy in practice better than the EU system. You go in, you get pri- 
vacy policies 

Mr. Stearns. So they have got to recognize the Gramm-Leach 
bill. 

Mr. Winer. Absolutely. And Fair Credit Reporting. You look at 
the privacy policies companies put online. If you don’t do that, you 
are going to have customer problems, you are going to have FTC 
problems, you going to have Attorney General problems. 

We have a system in this country of regulation and enforcement 
that is very aggressive. You go over to the EU they have got soft 
guidelines, and they have got much less enforcement. They don’t 
have regulations for the most part. 

And the testament is, you get the consumer groups looking at it, 
and they are saying, ‘Yes, America actually does it better, even 
though the EU standards are tougher.” So the first thing would be 
they have to recognize our system and give due respect to our sys- 
tem. Yes, sir. 

Mr. Stearns. Okay. Professor? 

Mr. Reidenberg. I think it is nonsense that Gramm-Leach-Bliley 
meets the standards contained in the European directive. I think 
we are bandying about the term “adequate” in different ways. Ade- 
quate, under the directive, means does it satisfy the obligations 
contained in the directive. 

We may talk about it as being adequate for the American context 
as an enacted by Congress. I personally have views much more 
akin to Mr. Markey’s from this morning. But in terms of the 
Gramm-Leach-Bliley compared to the standards in the directive, 
Gramm-Leach-Bliley is essentially a notice and consent statute. 
The directive contains substantially more than that in terms of fair 
information practices. 

It contains data subject access rights. It contains security rights. 
It contains a whole host of things that Gramm-Leach-Bliley is just 
simply silent on. 

Similarly, the Fair Credit Reporting Act is a very important 
piece of privacy legislation in the United States. But if you look at 
it carefully in the context of the directive, and if you look at it care- 
fully in its own context, it has the most tortured set of definitions 
for what is covered under the Fair Credit Reporting Act of any re- 
cent legislation we have had. 

What I would do in the United States, I would enact the OECD 
guidelines and statutory obligations, and I think we need to look 
at some creative ideas like creating a mechanism such that — a safe 
harbor mechanism so that companies have a degree of certainty in 
particular contexts what their obligations are under a statutory en- 
actment like the OECD guidelines. 

Mr. Stearns. My time has expired. 

Mr. Towns? 

Mr. Towns. Thank you very much, Mr. Chairman. 
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Mr. Winer, I see from your statement that in the previous ad- 
ministration you served in the State Department and were engaged 
in negotiations with the EU. When you were at the State Depart- 
ment, were you a member of the United States delegation that ne- 
gotiated the EU-U.S. safe harbor agreement? 

Mr. Winer. No, sir. 

Mr. Towns. So you are not appearing at this hearing as an ex- 
pert witness based on any direct involvement in those negotiations. 
Is that correct? 

Mr. Winer. In those negotiations, no, sir. I did lots of other nego- 
tiations with the EU, however, sir. 

Mr. Towns. Your written statement says that you are affiliated 
with the law firm of Alston and Byrd, and that you spend much 
of your time, “Counseling U.S. companies about privacy issues,” in- 
cluding the EU privacy directive that is the subject of this hearing 
today. 

Are you representing clients this afternoon in your appearance 
before the subcommittee? And, if so, who are they? 

Mr. Winer. No, sir, I am not. These represent my views. No one 
from outside my law firm reviewed any aspect of my testimony 
prior to my writing it. It reflects my views. In fact, it reflects opin- 
ions that I held when I was in the Clinton Administration. 

Mr. Towns. Okay. Well, do your clients want to see the safe har- 
bor agreement terminated? 

Mr. Winer. I have not asked that question of any client, if they 
want the safe harbor agreement terminated. I think what people 
want is a safe harbor that is going to work for them. 

I think what they want is respect for — when you are in compli- 
ance with U.S. law, that you are not going to be punished for when 
you act in compliance with U.S. law by somebody else, and that 
your compliance with U.S. law will buy you some protection against 
being punished elsewhere. I think that is what some people would 
like to see, sir. 

Mr. Towns. All right. Thank you. 

Ms. Lawler, you know, I am still back on the question that Con- 
gressman Buyer raised, if there was a violation. It is my under- 
standing that if HP would actually be liable to its consumer if that 
occurred, and it would be my understanding that then HP would 
go after the vendor, is that correct? 

Ms. Lawler. Correct. 

Mr. Towns. Yes. So I couldn’t quite understand where he was 
going with that. That was really, you know — I couldn’t quite, you 
know — well, anyway, that is another issue. I am sorry he is not 
here, because I don’t want to pursue it any further because I am 
sure he would have, you know, maybe a response. It is unfair I 
think to pursue it, you know, because of the fact that he is not 
present. But I just had to say that because I have thought about 
it. 

The other thing is that, basically, I wanted to raise with you, Ms. 
Lawler, it is my understanding that the EU has tried for years but 
so far has failed to agree on what a model privacy contract should 
look like. Nevertheless, contracts are being entered into every day. 

Do U.S. companies have sufficient commercial presence in the 
EU that they can hold their own in these contract negotiations? Or 
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does the absence of a model contract mean that our companies are 
at the mercy of EU privacy directives? 

Ms. Lawler. I think the companies that are looking at this issue 
have significant presence in Europe, and not just in Europe, quite 
frankly, and have fairly sophisticated groups, both in legal and con- 
tracts, that certainly could hold their own if they chose to pursue 
that particular route. 

I know for Hewlett Packard we made a very distinct business 
strategy decision not to get into the contracts business if you will. 
Our business, as many technology companies — business changes so 
rapidly that you are essentially in an ongoing contract discussion 
that never ends. And we didn’t feel that was a good business model 
for us. 

Mr. Towns. All right. Thank you. 

Professor Reidenberg, let me say we have something in common. 
You know, I was on staff at Fordham as well, I want to let you 
know, so we have that in common. 

Now I will ask you the question. The international treaty that 
you talked about to solve the privacy issue, what is the timetable, 
the timeframe, with that? You know, because when you think 
about these kinds of things you think about, you know, something 
going on and on and it might not even happen during my lifetime. 

Mr. Reidenberg. I can’t predict how long it would take to nego- 
tiate such a treaty. It certainly would not happen overnight. But 
then, if we look at the basic privacy principles that the United 
States domestically has committed to over the years, and those in 
the directive, they have been around for 30 years. They have been 
pretty enduring. So my guess is it would take a couple of years to 
negotiate it. 

At the WTO, they will — as I said, I think it inevitable that they 
will have to focus on privacy in the context of the trade and serv- 
ices assessments that take place every 2 years. Now, whether it 
will be this year or next year, I couldn’t tell you, but I think it will 
be imminent that this will have to be on the agenda. 

Mr. Towns. Thank you very much, Mr. Chairman. My time has 
expired. 

Mr. Stearns. I thank my colleague. 

Mr. Deal, you are recognized for 5 minutes. 

Mr. Deal. Thank you, Mr. Chairman. 

Well, I omitted saying at the outset thanks to all of you for being 
here. I think we have heard some very good testimony and cer- 
tainly this panel and the preceding panel have given us informa- 
tion that is important in our deliberations. 

But I suppose always there is, from our perspective, the question 
of, what is the starting point and what is the goal? And I have 
heard very divergent goals set forth here, and I guess I am prob- 
ably at this point in time coming down on the side of saying that 
our approach maybe should be something similar to what the Ca- 
nadians have some, and similar to what — the position Mr. Winer 
has advocated. 

And that is, once we have legislatively determined what stand- 
ards we feel are acceptable and agreeable for our constituency as 
citizens of our country, then we then move to the next stage of, do 
our trading partners agree with that? And if they don’t, then what 
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modifications, if any, should we come to? And, of course, we have 
not fully come to those conclusions. 

And, obviously, Professor Reidenberg, I have a connection, too. 
My son-in-law is a graduate of Fordham, so we will make that con- 
nection. 

But, obviously, yours is a much more long-term goal of having 
something in a more international context whereby you would have 
an agreement that was enforceable. But for the immediacy of the 
problem, I think we would all recognize that that is fraught with 
great difficulties. 

Obviously, some who are members of WTO think that govern- 
ment should know everything, and some of us think they should 
know nothing. And I think it would be very difficult in a short 
timeframe to come to a standard that would perhaps be acceptable 
without major deviations from it or exceptions carved out of it. 

I think from my perspective, our focus should be, in the short 
term, let us decide what standards our people want, and then, if 
at all possible, try to mesh those with our trading partners as they 
now exist. If those can be done, it seems to me then we have a very 
workable base from which to move to a broader WTO-type concept. 
Am I looking at it in an unrealistic fashion? 

Mr. Aaron. I don’t think so, Mr. Deal. I think that one of the 
difficulties that I had in negotiating the safe harbor is that we real- 
ly didn’t have anything to sort of say, “This is where we are.” 

Mr. Deal. Right. 

Mr. Aaron. And so I had to kind of negotiate off of their sheet 
of music. It would have been much better for me, as well as I think 
for the country, if we had had something of our own. 

The one thing, I would make one comment about the Canadian 
rules. They are really designed — they are very much in the mold 
of the European ones, and they have very strong enforcement pro- 
visions. And that is the one thing that I think is going to be very 
difficult for the United States. 

We looked at this back in the 1970’s, at an idea of a comprehen- 
sive privacy program, what the privacies are, and all that kind of 
stuff. And we came to the conclusion that this might well threaten 
people’s privacy. I mean, somebody independent 

Mr. Deal. We don’t want to tell anybody, so he can decide. 

Mr. Aaron. Yes. I mean, this is — so that very key thing — and 
that is the key thing that makes it acceptable to the Europeans. 
So we still have something resembling a square that needs to be 
circled. 

Mr. Deal. Mr. Winer? 

Mr. Winer. Yes, sir. I think if you think of the U.S. approach 
with consumer issues, it is very often an approach of fairness in 
which you want to say, “Has the person been informed about what 
is going to happen? Has the person consented to what is going to 
happen?” If you have got a situation where somebody has been in- 
formed and consented, that tends to be acceptable in American 
commercial and consumer context in many, many situations. 

Now, of course, there are situations at the very extremes where 
you want to go beyond that. But informed consent is the heart of 
our system, and seems to me might be a basis for proceeding here, 
sir. 
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Mr. Deal. Professor? 

Mr. Reidenberg. Let me come back I think first to your original 
query. I think you are absolutely correct. We first have to get our 
house in order and deal with privacy in the United States. 

Part of — and I agree completely with Ambassador Aaron, part of 
the difficulty in dealing with the rest of the world right now is that 
the rest of the world is looking to Europe for leadership on privacy 
and is no longer looking at the United Sates. We used to be the 
leaders. That is no longer the case. 

So I do think we do, first, indeed have to focus on what are the 
kinds of rights for the American democracy that we need to protect 
in the context of privacy. And in that context, we have to do more 
than just give window-dressing privacy. We need enforceable rights 
that have legal remedies for individual citizens who are victimized. 
That is something that is also very typical in the American context. 

And I think that in this area in particular there are some in- 
stances where informed consent is not likely to be satisfactory for 
us. We find privacy is a political right. Privacy has very important 
political implications, and we don’t in the United States allow sell- 
ing of votes. There are instances where we should not be in the po- 
sition of forcing citizens to sell their privacy so that they can get 
an extra couple of dollars off. That essentially says rich people have 
privacy and poor people don’t, and I don’t think, as a society, we 
should accept that in the United States. 

Mr. Deal. Thank you, Mr. Chairman. 

Mr. Stearns. I thank my colleague, and I thank panel two, espe- 
cially for your patience in waiting when we went through over an 
hour of voting. I appreciate your attendance, and I thank my col- 
leagues for staying with us. This is very nuanced debate that will 
continue. 

With that, the committee is adjourned. 

[Whereupon, at 3:13 p.m., the subcommittee was adjourned.] 



